Analysis
-
max time kernel
27s -
max time network
8s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 20:24
Static task
static1
Behavioral task
behavioral1
Sample
b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe
Resource
win10v2004-20240412-en
General
-
Target
b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe
-
Size
4.2MB
-
MD5
a37aafd52fa58b0518a5abfc1126a3bd
-
SHA1
3d8eb1846a4bb16442012e45675533e44d1f49e2
-
SHA256
b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f
-
SHA512
ddeab36141f0aaa88f56200dba786681a3cd47ecf4d3e731d015ce0b430571d8845fc1c7449b3ee8058415b9bbcd41024d4f2086e7eb0699385ced41083af622
-
SSDEEP
98304:uRe06RCZ8qdKnAdKFoI0tkW+Km95muXXLdVYjOy3P9U/:zUuqUAddtM55murAiy92
Malware Config
Signatures
-
Glupteba payload 7 IoCs
resource yara_rule behavioral1/memory/3440-2-0x00000000051F0000-0x0000000005ADB000-memory.dmp family_glupteba behavioral1/memory/3440-3-0x0000000000400000-0x0000000003009000-memory.dmp family_glupteba behavioral1/memory/3440-54-0x0000000000400000-0x0000000003009000-memory.dmp family_glupteba behavioral1/memory/3440-56-0x00000000051F0000-0x0000000005ADB000-memory.dmp family_glupteba behavioral1/memory/3516-58-0x0000000000400000-0x0000000003009000-memory.dmp family_glupteba behavioral1/memory/3516-119-0x00000000033F0000-0x00000000037F3000-memory.dmp family_glupteba behavioral1/memory/3516-137-0x0000000000400000-0x0000000003009000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 312 netsh.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2920 3440 WerFault.exe 82 -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 872 powershell.exe 872 powershell.exe 3440 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 3440 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 3532 powershell.exe 3532 powershell.exe 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 2964 powershell.exe 2964 powershell.exe 4648 powershell.exe 4648 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 872 powershell.exe Token: SeDebugPrivilege 3440 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Token: SeImpersonatePrivilege 3440 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe Token: SeDebugPrivilege 3532 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 4648 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3440 wrote to memory of 872 3440 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 88 PID 3440 wrote to memory of 872 3440 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 88 PID 3440 wrote to memory of 872 3440 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 88 PID 3516 wrote to memory of 3532 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 100 PID 3516 wrote to memory of 3532 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 100 PID 3516 wrote to memory of 3532 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 100 PID 3516 wrote to memory of 2824 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 102 PID 3516 wrote to memory of 2824 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 102 PID 2824 wrote to memory of 312 2824 cmd.exe 104 PID 2824 wrote to memory of 312 2824 cmd.exe 104 PID 3516 wrote to memory of 2964 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 105 PID 3516 wrote to memory of 2964 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 105 PID 3516 wrote to memory of 2964 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 105 PID 3516 wrote to memory of 4648 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 107 PID 3516 wrote to memory of 4648 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 107 PID 3516 wrote to memory of 4648 3516 b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe"C:\Users\Admin\AppData\Local\Temp\b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Users\Admin\AppData\Local\Temp\b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe"C:\Users\Admin\AppData\Local\Temp\b737257b9c3b41c65049dff6096f09d2d1eb787a2a7ea92f65b64b86fed5c84f.exe"2⤵
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:312
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 8762⤵
- Program crash
PID:2920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3440 -ip 34401⤵PID:60
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5567f6b3ce71b3fc75443c689eb8971f8
SHA1095f8089b1d31b3c2514deec44cadf5922fbb36a
SHA256863b24d7378332b0842aef3b38e0a4acbd6f5f730c992c51336fd387feb672e1
SHA5125a2f3419c7ad8997637b439280f67bfc9b7a17760e66e95ef1acf32ffa77311a99558674ce61dc126ea018a273dabebc31a872a91dbeabe9400cc63aaa8f750f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c39267371a21754ab7243c43efc83a44
SHA103fc23c96e07424fe206f15e4fc48610b017abb5
SHA25660f46691cee8e0606a6c3afa2120d8353b4cc0262c6f872b074b2c6dbf1a302f
SHA512d039d4f45e34f13669ea9751da00a38e9d88019f733346779abfd9593954054c8f214bd0ea7578b4db4ab70ff9a5c204a048f4a408a0e6f2dc21aab26c5e1823