Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 20:02
Static task
static1
Behavioral task
behavioral1
Sample
15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe
Resource
win10v2004-20240412-en
General
-
Target
15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe
-
Size
4.2MB
-
MD5
421ce3b54c30edc47c9edb329fe3caba
-
SHA1
a3849aa448f85e2974bd69e139153740f94a9cae
-
SHA256
15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf
-
SHA512
90ce952052891da627e4446771986f5123d603e5b453b0c2e06814f06d54544c7d441ae4afd2dcd536dc684cd003f86964e07a6e137ad06bef3d6e6a71263419
-
SSDEEP
98304:ZU4Iq03aI5N3yqqHwBEspKQ2DvCGo03KUue+TD:rIh7By/QBEsp+2hnfD
Malware Config
Signatures
-
Glupteba payload 21 IoCs
resource yara_rule behavioral1/memory/1032-2-0x0000000005270000-0x0000000005B5B000-memory.dmp family_glupteba behavioral1/memory/1032-3-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1032-25-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1032-48-0x0000000005270000-0x0000000005B5B000-memory.dmp family_glupteba behavioral1/memory/1032-50-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4636-60-0x0000000005210000-0x0000000005AFB000-memory.dmp family_glupteba behavioral1/memory/4636-61-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1032-74-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4636-93-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4636-112-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4636-128-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4636-176-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4184-226-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4184-263-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4184-274-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4184-278-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4184-282-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4184-286-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4184-290-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4184-294-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4184-298-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4252 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 4184 csrss.exe 1528 injector.exe 4116 windefender.exe 1524 windefender.exe -
resource yara_rule behavioral1/files/0x000400000001e7e5-267.dat upx behavioral1/memory/4116-272-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/1524-277-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/1524-285-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (str) \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rss 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe File created C:\Windows\rss\csrss.exe 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1088 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2804 schtasks.exe 3888 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" windefender.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3840 powershell.exe 3840 powershell.exe 1032 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 1032 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 1556 powershell.exe 1556 powershell.exe 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 3232 powershell.exe 3232 powershell.exe 4556 powershell.exe 4556 powershell.exe 3124 powershell.exe 3124 powershell.exe 2052 powershell.exe 2052 powershell.exe 3800 powershell.exe 3800 powershell.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 4184 csrss.exe 4184 csrss.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 4184 csrss.exe 4184 csrss.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 4184 csrss.exe 4184 csrss.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe 1528 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 3840 powershell.exe Token: SeDebugPrivilege 1032 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Token: SeImpersonatePrivilege 1032 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 3232 powershell.exe Token: SeDebugPrivilege 4556 powershell.exe Token: SeDebugPrivilege 3124 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 3800 powershell.exe Token: SeSystemEnvironmentPrivilege 4184 csrss.exe Token: SeSecurityPrivilege 1088 sc.exe Token: SeSecurityPrivilege 1088 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1032 wrote to memory of 3840 1032 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 90 PID 1032 wrote to memory of 3840 1032 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 90 PID 1032 wrote to memory of 3840 1032 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 90 PID 4636 wrote to memory of 1556 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 98 PID 4636 wrote to memory of 1556 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 98 PID 4636 wrote to memory of 1556 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 98 PID 4636 wrote to memory of 1760 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 101 PID 4636 wrote to memory of 1760 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 101 PID 1760 wrote to memory of 4252 1760 cmd.exe 103 PID 1760 wrote to memory of 4252 1760 cmd.exe 103 PID 4636 wrote to memory of 3232 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 104 PID 4636 wrote to memory of 3232 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 104 PID 4636 wrote to memory of 3232 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 104 PID 4636 wrote to memory of 4556 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 107 PID 4636 wrote to memory of 4556 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 107 PID 4636 wrote to memory of 4556 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 107 PID 4636 wrote to memory of 4184 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 109 PID 4636 wrote to memory of 4184 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 109 PID 4636 wrote to memory of 4184 4636 15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe 109 PID 4184 wrote to memory of 3124 4184 csrss.exe 110 PID 4184 wrote to memory of 3124 4184 csrss.exe 110 PID 4184 wrote to memory of 3124 4184 csrss.exe 110 PID 4184 wrote to memory of 2052 4184 csrss.exe 116 PID 4184 wrote to memory of 2052 4184 csrss.exe 116 PID 4184 wrote to memory of 2052 4184 csrss.exe 116 PID 4184 wrote to memory of 3800 4184 csrss.exe 118 PID 4184 wrote to memory of 3800 4184 csrss.exe 118 PID 4184 wrote to memory of 3800 4184 csrss.exe 118 PID 4184 wrote to memory of 1528 4184 csrss.exe 120 PID 4184 wrote to memory of 1528 4184 csrss.exe 120 PID 4116 wrote to memory of 3312 4116 windefender.exe 126 PID 4116 wrote to memory of 3312 4116 windefender.exe 126 PID 4116 wrote to memory of 3312 4116 windefender.exe 126 PID 3312 wrote to memory of 1088 3312 cmd.exe 127 PID 3312 wrote to memory of 1088 3312 cmd.exe 127 PID 3312 wrote to memory of 1088 3312 cmd.exe 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe"C:\Users\Admin\AppData\Local\Temp\15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
C:\Users\Admin\AppData\Local\Temp\15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe"C:\Users\Admin\AppData\Local\Temp\15b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4252
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3888
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2896
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1528
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2804
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD55f274f941cdfe1eb98f1699cf026f783
SHA1d0883a6173fe89ca35564ab9b2931baad7cba994
SHA25662def2c88a9c5d0175b1ab2a6542dd231290c6d3f325022b52dadbd51877cf6b
SHA512975fcd1b4b3e68d09b4131a4730ff0565b1f465de68e93baba33ce5a127cd9e22871a8881e34bbc8f72775b1918215541767997cd9e03db0dcdc09be19ba4818
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5882556aa90873d2632cb799bc74f816f
SHA1c10b10cd6c9067b4bf1211dfcf13b2f1302dec52
SHA256290dbf5f6aad517248648d1d9269a26c384cb5339a640806939f874c16aec0c0
SHA512c303a6289194bf66fa77b2009e6076ba7515ee24fd2569a4fc60d050f483d9e3e54b5a1d12bfa3bea8d6d4d9bc6816e0d6b0c0fbdea9094bca741ebd64ae9f38
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5472be94cd27e959bcd220e0bd1b572cc
SHA12efce6ace794ec761b787b6e0e631385a1233cda
SHA256eb7012c2f42983db936a73be78b20237dfc5076216ebe690f0ca18ad7a296df4
SHA512eab742e783e2b536056945549f57720584ad48f5c9701889174bd9bb9e392f66895683c43aa08d6492ca2afbdb390c2ca3370c0e56534021c912c24a2b1b4d13
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5976923a9eb8c9507d937bec4d8116679
SHA1ceb0f360037f46e731fe269a9e69c2760dd311a4
SHA2562f173b92600e4e3194cfc497e4b2a0d1eb858a7f37e65365092843cc47af679c
SHA5126695585f89b11329c089a7f9b8350daa47eb6dbc4ffd3915148370151dae0d9401d2a2c640950fa4618c331048c2db3a89478767dac820b5f7c2f86aa0dfa1de
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5ceb7ea13ec317855241d75fb32359899
SHA1661de880d8a83d64f1adb52f233a3bdd52d7b4ef
SHA2568bac35e4d15006be4bfc700d3971e83e24f18466aa76db44562492ce304dde59
SHA512bea84909da907629055d7dbb1edb1fe9d95aee1fafaa3ee52e5abdabac0c31c84077ecc03ce33dfe3b753637333e7b2a792a178c8594591b0a65c4486a33611a
-
Filesize
4.2MB
MD5421ce3b54c30edc47c9edb329fe3caba
SHA1a3849aa448f85e2974bd69e139153740f94a9cae
SHA25615b70a60a66a0aeceddbce87466e08d5e9ac74dc1e6d458b26c80aee95924ccf
SHA51290ce952052891da627e4446771986f5123d603e5b453b0c2e06814f06d54544c7d441ae4afd2dcd536dc684cd003f86964e07a6e137ad06bef3d6e6a71263419
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec