Analysis
-
max time kernel
15s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe
Resource
win10v2004-20240412-en
General
-
Target
74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe
-
Size
4.2MB
-
MD5
907b31cc5de7fe55e8b7e6fae904c487
-
SHA1
7c5c32781742a8fc8b40611e53cbacd53444dedb
-
SHA256
74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf
-
SHA512
09d1a38a501d29447482c29f20ed9fefefb0d7e3bcc475e1f7206fa9cf67269655033dac82db6fd4ac1534e8d0abf9e53db4e887556ae990345fbe4a6e1d488b
-
SSDEEP
98304:hU4Iq03aI5N3yqqHwBEspKQ2DvCGo03KUue+T5:TIh7By/QBEsp+2hnf5
Malware Config
Signatures
-
Glupteba payload 17 IoCs
resource yara_rule behavioral1/memory/3000-2-0x0000000005260000-0x0000000005B4B000-memory.dmp family_glupteba behavioral1/memory/3000-3-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4600-56-0x0000000005180000-0x0000000005A6B000-memory.dmp family_glupteba behavioral1/memory/4600-58-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3000-72-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4600-190-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1608-260-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1608-270-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1608-274-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1608-278-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1608-282-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1608-286-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1608-290-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1608-294-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1608-298-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1608-302-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1608-306-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2940 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 1608 csrss.exe -
resource yara_rule behavioral1/files/0x0007000000023407-263.dat upx behavioral1/memory/4400-268-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4192-273-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4192-281-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\rss 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe File created C:\Windows\rss\csrss.exe 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1740 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2272 schtasks.exe 1164 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 5016 powershell.exe 5016 powershell.exe 3000 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 3000 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 4548 powershell.exe 4548 powershell.exe 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 372 powershell.exe 372 powershell.exe 2304 powershell.exe 2304 powershell.exe 4884 powershell.exe 4884 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 5016 powershell.exe Token: SeDebugPrivilege 3000 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Token: SeImpersonatePrivilege 3000 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe Token: SeDebugPrivilege 4548 powershell.exe Token: SeDebugPrivilege 372 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 4884 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3000 wrote to memory of 5016 3000 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 91 PID 3000 wrote to memory of 5016 3000 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 91 PID 3000 wrote to memory of 5016 3000 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 91 PID 4600 wrote to memory of 4548 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 98 PID 4600 wrote to memory of 4548 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 98 PID 4600 wrote to memory of 4548 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 98 PID 4600 wrote to memory of 4384 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 101 PID 4600 wrote to memory of 4384 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 101 PID 4384 wrote to memory of 2940 4384 cmd.exe 103 PID 4384 wrote to memory of 2940 4384 cmd.exe 103 PID 4600 wrote to memory of 372 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 104 PID 4600 wrote to memory of 372 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 104 PID 4600 wrote to memory of 372 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 104 PID 4600 wrote to memory of 2304 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 106 PID 4600 wrote to memory of 2304 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 106 PID 4600 wrote to memory of 2304 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 106 PID 4600 wrote to memory of 1608 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 108 PID 4600 wrote to memory of 1608 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 108 PID 4600 wrote to memory of 1608 4600 74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe 108 PID 1608 wrote to memory of 4884 1608 csrss.exe 109 PID 1608 wrote to memory of 4884 1608 csrss.exe 109 PID 1608 wrote to memory of 4884 1608 csrss.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe"C:\Users\Admin\AppData\Local\Temp\74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe"C:\Users\Admin\AppData\Local\Temp\74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2940
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2272
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:1520
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:3656
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:3752
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:1980
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1164
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:4400
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:220
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:1740
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:4192
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD54ad2bbe19f605d41786328cf8f2df582
SHA11fb46ce0b5017e31aa07e29e0515411a97ab6cfa
SHA25619a2be72564a354b4ac23ff12adb7a50f70ad878f84f543c136ce8cfd7aedb45
SHA5126d88f2bdbd074a3b7c73fe596969f002b383d89de1e11a31c31727dd12c7bf1620b35d0a1d1bb078bd7e3a5e5eed1fc5e5c9aa5281124f0891b0cef713fa3d4c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57c71b2232a9638fc729aebdffe40a7d3
SHA173bc085885121dcda10aca82190e839a3f17e98b
SHA256f422d9fc2cd1690504069e9056c0af8c253969fe7c5801f3b3aae03154e9a800
SHA512a8c59851b8ace036b656a6604969fab0e42e84229f4c511d18890431a37c3f742870ce29ba5ed244679ce4405c9efc0a57009387588090cb4a2e2ee8e736c5a9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5f39e33b8d9896ff2dd27a43c365690ac
SHA19003b3fd40b456d4e23fe56aef5df9dad02670ae
SHA25609c552684375245c4863237af7aaddc5ef624f3529dd12133a7e68799d0eb810
SHA51295202567002ef7953be357bb9bc9945c6b3782de3492a7a90508f1b40d2229eb68ab64c1a6cc56b6f172f2661bb650c8815b5fcc2b17dae8038962aa2ec6173c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5072af785810788376f6a2a4d5e6df07c
SHA120afe86449253d0923f574a1ab0be9a77fa685af
SHA256bc7e76fbc7086ae3abd2122591075626c384b48eeebe36c2aab032f3c34b6023
SHA512b47d1f1d95956a74200396c4c82490172d5cd9b790e7c22926c144d8f0160b65e9626e416fc18668e338e426692bb3dd82a1cdb016f27bde2f0395143294093d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57686b1032a60be5ab31dd8ae1c6842cb
SHA148a47b53ceb831676020b5bc68b5954d3e1421bc
SHA2565de801cd2b862fd0cd6f47962f3d6783373ae7d4d4645fee2a64510e1dd5eb73
SHA512e3290051f4a942100add4f82d9308adbf81df9c7cc8de5a0f6d8f71ff9b0caf4badd2f4734165724a27abacfba6213673c7b80d63e5477cddbfe738bc6d19e44
-
Filesize
4.2MB
MD5907b31cc5de7fe55e8b7e6fae904c487
SHA17c5c32781742a8fc8b40611e53cbacd53444dedb
SHA25674f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf
SHA51209d1a38a501d29447482c29f20ed9fefefb0d7e3bcc475e1f7206fa9cf67269655033dac82db6fd4ac1534e8d0abf9e53db4e887556ae990345fbe4a6e1d488b
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec