Analysis
-
max time kernel
16s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe
Resource
win10v2004-20240226-en
General
-
Target
71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe
-
Size
4.2MB
-
MD5
62dc86ed5cec63e5ccb959c407a4a591
-
SHA1
2070a84ba529d62ee28745bbc5c810bfbb9b721c
-
SHA256
71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1
-
SHA512
de79eeef9db2c8ffc50fc843a397f3bd48d61a52287ecc13ab32093a4405bf3c338cb87f4bf71f76c1e7e6e30dca6a4cc683657009558ff6b7ac11295884dc3c
-
SSDEEP
98304:RU4Iq03aI5N3yqqHwBEspKQ2DvCGo03KUue+TU:DIh7By/QBEsp+2hnfU
Malware Config
Signatures
-
Glupteba payload 14 IoCs
resource yara_rule behavioral2/memory/1404-2-0x0000000005360000-0x0000000005C4B000-memory.dmp family_glupteba behavioral2/memory/1404-3-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/3396-53-0x0000000005230000-0x0000000005B1B000-memory.dmp family_glupteba behavioral2/memory/3396-63-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1404-79-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/3396-203-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/4800-229-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/4800-247-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/4800-263-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/4800-279-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/4800-295-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/4800-311-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/4800-327-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/4800-343-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3884 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 4800 csrss.exe -
resource yara_rule behavioral2/memory/1904-244-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/580-261-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/580-293-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\rss 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe File created C:\Windows\rss\csrss.exe 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1468 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2576 schtasks.exe 1492 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2224 powershell.exe 2224 powershell.exe 1404 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 1404 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 768 powershell.exe 768 powershell.exe 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 1468 powershell.exe 1468 powershell.exe 1724 powershell.exe 1724 powershell.exe 1448 powershell.exe 1448 powershell.exe 2752 powershell.exe 2752 powershell.exe 3388 powershell.exe 3388 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 1404 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Token: SeImpersonatePrivilege 1404 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 1468 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 3388 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1404 wrote to memory of 2224 1404 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 82 PID 1404 wrote to memory of 2224 1404 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 82 PID 1404 wrote to memory of 2224 1404 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 82 PID 3396 wrote to memory of 768 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 87 PID 3396 wrote to memory of 768 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 87 PID 3396 wrote to memory of 768 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 87 PID 3396 wrote to memory of 1908 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 89 PID 3396 wrote to memory of 1908 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 89 PID 1908 wrote to memory of 3884 1908 cmd.exe 91 PID 1908 wrote to memory of 3884 1908 cmd.exe 91 PID 3396 wrote to memory of 1468 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 114 PID 3396 wrote to memory of 1468 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 114 PID 3396 wrote to memory of 1468 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 114 PID 3396 wrote to memory of 1724 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 94 PID 3396 wrote to memory of 1724 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 94 PID 3396 wrote to memory of 1724 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 94 PID 3396 wrote to memory of 4800 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 96 PID 3396 wrote to memory of 4800 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 96 PID 3396 wrote to memory of 4800 3396 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe"C:\Users\Admin\AppData\Local\Temp\71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe"C:\Users\Admin\AppData\Local\Temp\71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3884
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1492
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:3620
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:784
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2576
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:1904
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:1584
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:1468
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:580
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5879003b653867b47f5db781cd012a43f
SHA1960034fc3f32d7b0fbbd988a1b763617b48a7bbd
SHA256ae1a9e66888a4a4489bfcbe6b697f6855f00eb173179d2164967d1f20d25fc7b
SHA512a6b1ca9be204f4ecb07af111c27f2a675fe9952b7bc3754600e46daaf32b42182e16cb3aca44640f1725480b7e4248288697025ba827293bbfa94b2df2694830
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5543272e7939ea8760cc6628469b78507
SHA1d9069761c155961c93f2970a2c580224e71aa6e2
SHA2568ec19110876aa079511eaacf4b25fdec03a5e314083b421510ad2a3deb488850
SHA5129d9c7294f912460ffff861278b4adae94afa9a96f2330aa26a18179ee7e6b259795e9618bb28bb1d4c54af570c82da595973fa3864962733722e7fd7ccb1a404
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c54360caa97b58f54e58ba7d727bb1a5
SHA11c09e568eb8cbb4d84ff7f6210e8b2745d22818b
SHA256e367042c53fbeb138dd76b88059fad30d642e473a8aa87a1401179709836d580
SHA512c89794f5d2974bcd408235aaee8dd501676baeeace690ca86b194b10ada2cbbf65e62a10313379de7bbc3c4e6adc49963275ce14782e1ba3f9e64e14a6b14861
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD54e94404ae6eaa8ec72037e29f22bca9d
SHA1d996958431d92d3b951ee2225d5929adb4900fd5
SHA2566b2f88da05ba68b0dc3f18f5b383326670bbce4676fdb03094f89fe3f6ffed39
SHA51257f6f11b819787b2604ace64721080adec2ee76e5d3d2d9d52c20e19cbc7b1fd598df89196b30f9bf22827fe478008e36923d584fb42a01aea84b5566ceae58c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD580582dd4b210b940bd22b9e66c6096bf
SHA11699d0ff4bfc0d92dcc047101ea42e8821b4dd46
SHA2569ce9d65c54bb675142900495c840bae2a5e687b69e5db1b841d47b75ad3b1976
SHA51243e0c63378ffed9dd5ac0da90e16a84507ef567ab6df5fd8159458602ef3685214106dc2a66d41ad6bbe0b999c9924ad17779d712895c0f88821fcae332c584f
-
Filesize
4.2MB
MD562dc86ed5cec63e5ccb959c407a4a591
SHA12070a84ba529d62ee28745bbc5c810bfbb9b721c
SHA25671f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1
SHA512de79eeef9db2c8ffc50fc843a397f3bd48d61a52287ecc13ab32093a4405bf3c338cb87f4bf71f76c1e7e6e30dca6a4cc683657009558ff6b7ac11295884dc3c