Analysis
-
max time kernel
171s -
max time network
176s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2024, 19:18
Static task
static1
Behavioral task
behavioral1
Sample
c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe
Resource
win10v2004-20240412-en
General
-
Target
c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe
-
Size
4.2MB
-
MD5
65e726d66f070fcd98aa14e774a843fb
-
SHA1
4e1e602621b0d3bc747ef7aa42a90d62346113a2
-
SHA256
c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1
-
SHA512
b22b836ca8c763983dc31ee3807c5ef719da971991d52b8037c95b63c91eab758d6847dd587b78e7c631bf42a64101eb7b8c64a1b48ce68fbc1085cca1b24c26
-
SSDEEP
98304:W+HT2dFOlkJa7jNZC2ePu9ILkthheCYlOat:PzMKBrC2kuA8hntO
Malware Config
Signatures
-
Glupteba payload 19 IoCs
resource yara_rule behavioral2/memory/5048-2-0x0000000005360000-0x0000000005C4B000-memory.dmp family_glupteba behavioral2/memory/5048-3-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5048-4-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5048-25-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5048-47-0x0000000005360000-0x0000000005C4B000-memory.dmp family_glupteba behavioral2/memory/5048-51-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5048-56-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4856-59-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4856-73-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4856-93-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4856-120-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4856-149-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5060-183-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5060-230-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5060-249-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5060-258-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5060-259-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5060-262-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5060-264-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3364 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 5060 csrss.exe 4808 injector.exe 1484 windefender.exe 3892 windefender.exe -
resource yara_rule behavioral2/files/0x000200000002aa4f-252.dat upx behavioral2/memory/1484-257-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/3892-260-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/3892-263-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rss c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe File created C:\Windows\rss\csrss.exe c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3772 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2844 schtasks.exe 2772 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4644 powershell.exe 4644 powershell.exe 5048 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 5048 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 4612 powershell.exe 4612 powershell.exe 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 2896 powershell.exe 2896 powershell.exe 3340 powershell.exe 3340 powershell.exe 2144 powershell.exe 2144 powershell.exe 1520 powershell.exe 1520 powershell.exe 1032 powershell.exe 1032 powershell.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 5060 csrss.exe 5060 csrss.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 5060 csrss.exe 5060 csrss.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 5060 csrss.exe 5060 csrss.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe 4808 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4644 powershell.exe Token: SeDebugPrivilege 5048 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Token: SeImpersonatePrivilege 5048 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe Token: SeDebugPrivilege 4612 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 3340 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 1032 powershell.exe Token: SeSystemEnvironmentPrivilege 5060 csrss.exe Token: SeSecurityPrivilege 3772 sc.exe Token: SeSecurityPrivilege 3772 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 5048 wrote to memory of 4644 5048 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 81 PID 5048 wrote to memory of 4644 5048 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 81 PID 5048 wrote to memory of 4644 5048 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 81 PID 4856 wrote to memory of 4612 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 86 PID 4856 wrote to memory of 4612 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 86 PID 4856 wrote to memory of 4612 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 86 PID 4856 wrote to memory of 1484 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 88 PID 4856 wrote to memory of 1484 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 88 PID 1484 wrote to memory of 3364 1484 cmd.exe 90 PID 1484 wrote to memory of 3364 1484 cmd.exe 90 PID 4856 wrote to memory of 2896 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 91 PID 4856 wrote to memory of 2896 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 91 PID 4856 wrote to memory of 2896 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 91 PID 4856 wrote to memory of 3340 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 93 PID 4856 wrote to memory of 3340 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 93 PID 4856 wrote to memory of 3340 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 93 PID 4856 wrote to memory of 5060 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 95 PID 4856 wrote to memory of 5060 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 95 PID 4856 wrote to memory of 5060 4856 c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe 95 PID 5060 wrote to memory of 2144 5060 csrss.exe 96 PID 5060 wrote to memory of 2144 5060 csrss.exe 96 PID 5060 wrote to memory of 2144 5060 csrss.exe 96 PID 5060 wrote to memory of 1520 5060 csrss.exe 102 PID 5060 wrote to memory of 1520 5060 csrss.exe 102 PID 5060 wrote to memory of 1520 5060 csrss.exe 102 PID 5060 wrote to memory of 1032 5060 csrss.exe 104 PID 5060 wrote to memory of 1032 5060 csrss.exe 104 PID 5060 wrote to memory of 1032 5060 csrss.exe 104 PID 5060 wrote to memory of 4808 5060 csrss.exe 106 PID 5060 wrote to memory of 4808 5060 csrss.exe 106 PID 1484 wrote to memory of 4524 1484 windefender.exe 112 PID 1484 wrote to memory of 4524 1484 windefender.exe 112 PID 1484 wrote to memory of 4524 1484 windefender.exe 112 PID 4524 wrote to memory of 3772 4524 cmd.exe 113 PID 4524 wrote to memory of 3772 4524 cmd.exe 113 PID 4524 wrote to memory of 3772 4524 cmd.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe"C:\Users\Admin\AppData\Local\Temp\c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe"C:\Users\Admin\AppData\Local\Temp\c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3364
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2844
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:1528
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4808
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2772
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3892
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a69e383746bd95b919165697859d0c67
SHA1564c72177e21f684cf2b4ef113d90d7f6c35fd22
SHA256104dcbbb09aaa971f2d28e0696a8bd5743d8468d5a25cbeb19882f0dcfc128df
SHA5120e04f908f5d887c4364147e0a104718a100e626fe1888fd16eb288e504757937e2eeae1d9c296c417eca84a6d54d2949c6acc65ae306c7f3b91e704273b65f2a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD520761141d78f56a8c327128400485120
SHA1224c35344d86db35d60a5a75caed2cbdeda7737b
SHA256f462f003774ad2b78db1bf6bad58be8758616cff03ba3b6252b8007d7fb78d50
SHA512614bd03a163123e95cc5576741621c4d790211ceb9083869dd0614c6b550c48500e60a57438c970aab4a276577f2e6d42efc2196336179ff7939959440b5510d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD59a8dd0618619f77e29f8247bbacfe91e
SHA1f0dc1da4a11b3bb611b3bf29541cdd797b0de587
SHA2567359993533196576d699c864f0c978d365d830e5b1cfc16be1cb542340c58512
SHA5129516d98f506002057e586a88a22e49aca26fec4aa41798513612b3215b748e518ed25a985da3de8ee189d853c3af4f58790da865ec263385d232c367616b6e97
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD54a9b0b2cd9cf0c338a90f2183f964a78
SHA1f6a575aeeacd4a9c497f188502edfcf083099ada
SHA2560b8930724b9c2abafd92217d11c0d89cf9de8192eaa8bc2232b867e453a38541
SHA512a98d307b78caa2ccc14f26b9c7551ac92bd115046507d804e6ff2e49c910f4cf0bf16176f78d887048ed9955391687d414dcc89c4e7daa8b282f92488a4c0687
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD549fbfecf463e7a74bf5a618c62cad39a
SHA11c490795d5d12a9ae5f1ba9cbba5e52fb5b921e7
SHA2564570d5f63d2d83d1cf6e216c75bfe039a259bcdaa6668701f5b6ce7bd579f89f
SHA51231128d97a5549890759b708e59376fedebe0bf839b43f1e89c5360633a5efe623af448bde82b614c77d48202384c9fdbd47e640af3de4b7354f3b45a7905945d
-
Filesize
4.2MB
MD565e726d66f070fcd98aa14e774a843fb
SHA14e1e602621b0d3bc747ef7aa42a90d62346113a2
SHA256c53ae2d7fca3f95db8ba8363a850415d45890d7c6a5dbda2535a6e46f498aec1
SHA512b22b836ca8c763983dc31ee3807c5ef719da971991d52b8037c95b63c91eab758d6847dd587b78e7c631bf42a64101eb7b8c64a1b48ce68fbc1085cca1b24c26
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec