Analysis
-
max time kernel
160s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe
Resource
win10v2004-20240412-en
General
-
Target
5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe
-
Size
4.2MB
-
MD5
8ba9f36b143b917aeae7d4ea738a4db1
-
SHA1
5ce026af13ed8e5d1895aa4465e6e1c2fa573e8d
-
SHA256
5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0
-
SHA512
15c6b80729c77ba21400b670c55fd0c1b28dd2f1823abc804b32da9f7494fe372701bc0885339b03430b92f4a58eaace22c06c3653246c7a2204c9720dcfdc82
-
SSDEEP
98304:ZU4Iq03aI5N3yqqHwBEspKQ2DvCGo03KUue+Tq:rIh7By/QBEsp+2hnfq
Malware Config
Signatures
-
Glupteba payload 16 IoCs
resource yara_rule behavioral1/memory/956-2-0x0000000005320000-0x0000000005C0B000-memory.dmp family_glupteba behavioral1/memory/956-3-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/956-4-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/956-31-0x0000000005320000-0x0000000005C0B000-memory.dmp family_glupteba behavioral1/memory/956-45-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/956-51-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/956-62-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/956-64-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3240-68-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3240-82-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3240-98-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3240-106-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3240-139-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3240-172-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3584-178-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3584-211-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1044 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 3584 csrss.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe File opened for modification C:\Windows\rss 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5036 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1052 powershell.exe 1052 powershell.exe 1052 powershell.exe 956 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 956 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 2908 powershell.exe 2908 powershell.exe 2908 powershell.exe 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 4956 powershell.exe 4956 powershell.exe 1564 powershell.exe 1564 powershell.exe 3444 powershell.exe 3444 powershell.exe 4452 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 956 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Token: SeImpersonatePrivilege 956 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 4956 powershell.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 3444 powershell.exe Token: SeDebugPrivilege 4452 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 956 wrote to memory of 1052 956 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 95 PID 956 wrote to memory of 1052 956 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 95 PID 956 wrote to memory of 1052 956 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 95 PID 3240 wrote to memory of 2908 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 105 PID 3240 wrote to memory of 2908 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 105 PID 3240 wrote to memory of 2908 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 105 PID 3240 wrote to memory of 4472 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 107 PID 3240 wrote to memory of 4472 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 107 PID 4472 wrote to memory of 1044 4472 cmd.exe 109 PID 4472 wrote to memory of 1044 4472 cmd.exe 109 PID 3240 wrote to memory of 4956 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 110 PID 3240 wrote to memory of 4956 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 110 PID 3240 wrote to memory of 4956 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 110 PID 3240 wrote to memory of 1564 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 112 PID 3240 wrote to memory of 1564 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 112 PID 3240 wrote to memory of 1564 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 112 PID 3240 wrote to memory of 3584 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 114 PID 3240 wrote to memory of 3584 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 114 PID 3240 wrote to memory of 3584 3240 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 114 PID 3584 wrote to memory of 3444 3584 csrss.exe 116 PID 3584 wrote to memory of 3444 3584 csrss.exe 116 PID 3584 wrote to memory of 3444 3584 csrss.exe 116 PID 3584 wrote to memory of 4452 3584 csrss.exe 121 PID 3584 wrote to memory of 4452 3584 csrss.exe 121 PID 3584 wrote to memory of 4452 3584 csrss.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe"C:\Users\Admin\AppData\Local\Temp\5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Users\Admin\AppData\Local\Temp\5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe"C:\Users\Admin\AppData\Local\Temp\5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1044
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:5036
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4020
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize35KB
MD5c0c4404d7fa40cfc426fa66648e532c2
SHA1d60dcafc42c6cca766a81d5bfdd8e86978940db0
SHA256ca8746b989ce25d54f1b7fa117f804f162d842228b7f6e9422aeaf0cc6a017f3
SHA512c84bb02966316ee10a38f35516964e4b2730a4a36ede9e13e8b3cf8669756dc7ed44fa5d06e30347050b854e6f82219a38db13dce3b16138354aa331c73d02b9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD51b429ce2aa832b6945b82ac67163f673
SHA10ea8a41bde430b6cce7ffc8996c14477d364524f
SHA256b3d7fdde4afe5c9d1aae1f3a4a3dae71ffb9ef5824a978249d51576ecf2e1069
SHA5129aa52ab21a920bc1798ea2d1de60a80a9ec90963f09ec147383fb096843c650269c19c56abe10bf04009274b1e1d2efb04cba2359c94a012f1344f9010236b2f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD543fbaa16e31175b3a39778ba4f2b6bd4
SHA1ac246a857c8c706da11ab058fecfc365ccd7c46b
SHA256d55b58347a01003908c43c78e7ac9cd86c59411a4041647b5255f573390828f2
SHA5121d69c4aae9800b4f9cf4e4987dd4211ea9719f67db5ea65ff148f72cc52a4450fc4b29705011cfbb14685e6faaea4fb4fd26e3123a81c0f24ca025ceb7b5e754
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD522b97b13a9d669fb7f9c693a58d879ce
SHA194d67eeb3bbd99d292f2ebda65fcd7c7ea403b38
SHA256278ff1ef9b07c35e1e1c157c149565340d195821c1fdf26e8ff24e1d9090125b
SHA512693c27c3b48bef5dac7245c776299d7582506a7735e5f3e4cecf4016df2b79dd58589358a8e07ee23baa6ec61ecfce659d1b7b0595e49c131f5e541d297865c0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5834818a476d4a3b191fe8aa586ca7f17
SHA1223bac1f69dee9c812f57cea77ef1f450558960e
SHA256548604b3c35bc5cadf5182215265397b8026967f99952ff6e9c30b57cee5070d
SHA51261d9b3f1ab63b56ef34b7178cf8972ea7fb340e59eb601c4eaae9d4d56326d0a1dbea28b52e3ac8236af8b34d7c81d9eb84b20faaef93905b42ebc3380223de6
-
Filesize
4.2MB
MD58ba9f36b143b917aeae7d4ea738a4db1
SHA15ce026af13ed8e5d1895aa4465e6e1c2fa573e8d
SHA2565b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0
SHA51215c6b80729c77ba21400b670c55fd0c1b28dd2f1823abc804b32da9f7494fe372701bc0885339b03430b92f4a58eaace22c06c3653246c7a2204c9720dcfdc82