Analysis
-
max time kernel
19s -
max time network
167s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe
Resource
win10v2004-20240412-en
General
-
Target
5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe
-
Size
4.2MB
-
MD5
8ba9f36b143b917aeae7d4ea738a4db1
-
SHA1
5ce026af13ed8e5d1895aa4465e6e1c2fa573e8d
-
SHA256
5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0
-
SHA512
15c6b80729c77ba21400b670c55fd0c1b28dd2f1823abc804b32da9f7494fe372701bc0885339b03430b92f4a58eaace22c06c3653246c7a2204c9720dcfdc82
-
SSDEEP
98304:ZU4Iq03aI5N3yqqHwBEspKQ2DvCGo03KUue+Tq:rIh7By/QBEsp+2hnfq
Malware Config
Signatures
-
Glupteba payload 20 IoCs
resource yara_rule behavioral2/memory/4836-2-0x0000000005390000-0x0000000005C7B000-memory.dmp family_glupteba behavioral2/memory/4836-3-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/4836-46-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/3008-54-0x0000000005270000-0x0000000005B5B000-memory.dmp family_glupteba behavioral2/memory/3008-55-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/4836-61-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/3008-114-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/3008-125-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/3008-146-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/2260-243-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/2260-248-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/2260-256-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/2260-259-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/2260-262-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/2260-265-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/2260-268-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/2260-271-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/2260-274-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/2260-277-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/2260-280-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2088 netsh.exe -
resource yara_rule behavioral2/files/0x000200000002a9ea-247.dat upx behavioral2/memory/3400-253-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2564-263-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3820 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4640 schtasks.exe 2948 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5084 powershell.exe 5084 powershell.exe 4836 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 4836 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 1020 powershell.exe 1020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 5084 powershell.exe Token: SeDebugPrivilege 4836 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Token: SeImpersonatePrivilege 4836 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe Token: SeDebugPrivilege 1020 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4836 wrote to memory of 5084 4836 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 82 PID 4836 wrote to memory of 5084 4836 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 82 PID 4836 wrote to memory of 5084 4836 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 82 PID 3008 wrote to memory of 1020 3008 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 87 PID 3008 wrote to memory of 1020 3008 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 87 PID 3008 wrote to memory of 1020 3008 5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe"C:\Users\Admin\AppData\Local\Temp\5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Users\Admin\AppData\Local\Temp\5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe"C:\Users\Admin\AppData\Local\Temp\5b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:2988
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2088
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:2724
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:680
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:2260
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4824
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4640
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:3056
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:1532
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:2768
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2948
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:3400
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:400
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:3820
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD53e72293c10199be4e130fa877e09b195
SHA108f22cbf09c667f141da61a3962a02e5b4b34cc7
SHA256cda5b33f2568ce9a4722aaeb974aee5f6342dba14474b89d3811aa054ea45e34
SHA5128bec9f26df9fac4c3eda17ed49dae586d6647e3023f130e4fbe329009b6f0e24aa0b22b9faa0d97ccfdb12dedc9c9b77589eb41ca963f5ec219e7c7bfa1f46c2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5263458a12183cdec4e0f094a602e9020
SHA1722744f32a82fd63741f3a56a5c7d8aeb3102469
SHA2564e35fc5360903990530f360e2f229210ae853f1fa7ad7d71b8ed54b62d4c9ef8
SHA512859268abae7e7b2c8e96b481cf61f4eb73eab8a7b0be476e8c456fe55c818ddef2c764be43f0b2e3248b2980a2763ddd4be07574a298c69ba5038a7a6cdd1730
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD537033235b9ed24ffbb44b7371d825dba
SHA1a94cf4bcf388528f222eda880e43d1fb9e46c4f5
SHA2563df49fc2e9228a7c90b54ef6ef9a60782ada5f342d49c4e38434bc8ca4b2284a
SHA5124651302fa8ca06183d51d5148bfeedd1374ebf010d22a6c5f05b5efc6c3fbae2f7b8f8a0a8b6a6a32dae206a838d246737557331a4582e33cd7589a6d80a7b8d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD559686ed6067ef151d81e20064738dde2
SHA11882d7dea586e740d596bb09d73acb73eddf78ea
SHA25695954273bec445fa61f10b4dac17f885811f57131b9b0fda249439a67ef27e83
SHA512a58fd4ca2c47dc7337c6f594d92cb21ac0761a189f210ee65186f9b4f06116f3951cbaf78a46ccca7bbcd7d5993c20501c61688efd4eb0230a025cd03ab9e4af
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5ebf194dc8210f39fc182e7a043678b7f
SHA1f4d635fd069f39c4c810806de063419d31d26063
SHA25642edfa1e9e6675f1c9ce7d772f248d7091ead5b31a12a62d74e7f76cb74e8f24
SHA5124b5f27ec024452968194b81ed065f018ce720e5aa80b56f622e65966ef64e27e2fe44b29e22056320f44f9fa7919556261fe621dc8a7c5bf1e8753d208778eaf
-
Filesize
4.2MB
MD58ba9f36b143b917aeae7d4ea738a4db1
SHA15ce026af13ed8e5d1895aa4465e6e1c2fa573e8d
SHA2565b244711ca1d9cf6a32e4907ee7da31d148d48e35559cc1dffcf5c1f76a0f2d0
SHA51215c6b80729c77ba21400b670c55fd0c1b28dd2f1823abc804b32da9f7494fe372701bc0885339b03430b92f4a58eaace22c06c3653246c7a2204c9720dcfdc82
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec