Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 19:26
Static task
static1
Behavioral task
behavioral1
Sample
0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe
Resource
win10v2004-20240226-en
General
-
Target
0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe
-
Size
4.2MB
-
MD5
0865723cd92439d03cbc8f84d2f4adbd
-
SHA1
9e6bc45a5748a51e2a835c64c7d1907e6122c533
-
SHA256
0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa
-
SHA512
375bfc107cc7e0fa7df3b051fcb466edc79f9a38dd03e7dda2793bcfd53a6954dc27837e519b0cedd35981f2a91ffafcab2ba2de43015c59b9a24b84c01f5bdf
-
SSDEEP
98304:rtwUIgr6Tu/hivXD0fl0IvZVjhgp1+mYFjvUcmYnimsjZaHe8:5w6rquKXDtU1Y2GYniVjUHB
Malware Config
Signatures
-
Glupteba payload 13 IoCs
resource yara_rule behavioral1/memory/4836-2-0x0000000003EE0000-0x00000000047CB000-memory.dmp family_glupteba behavioral1/memory/4836-3-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/4836-4-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/4836-5-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/4836-7-0x0000000003EE0000-0x00000000047CB000-memory.dmp family_glupteba behavioral1/memory/4836-8-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/4836-37-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/4836-40-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/4836-71-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/3888-74-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/3888-107-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/3888-137-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/3888-171-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 884 netsh.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2044 4836 WerFault.exe 88 -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2304 powershell.exe 2304 powershell.exe 4836 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 4836 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 3612 powershell.exe 3612 powershell.exe 3612 powershell.exe 4920 powershell.exe 4920 powershell.exe 4920 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 4836 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Token: SeImpersonatePrivilege 4836 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 3612 powershell.exe Token: SeDebugPrivilege 4920 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4836 wrote to memory of 2304 4836 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 91 PID 4836 wrote to memory of 2304 4836 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 91 PID 4836 wrote to memory of 2304 4836 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 91 PID 3888 wrote to memory of 2824 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 106 PID 3888 wrote to memory of 2824 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 106 PID 3888 wrote to memory of 2824 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 106 PID 3888 wrote to memory of 1372 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 108 PID 3888 wrote to memory of 1372 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 108 PID 1372 wrote to memory of 884 1372 cmd.exe 110 PID 1372 wrote to memory of 884 1372 cmd.exe 110 PID 3888 wrote to memory of 3612 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 111 PID 3888 wrote to memory of 3612 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 111 PID 3888 wrote to memory of 3612 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 111 PID 3888 wrote to memory of 4920 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 113 PID 3888 wrote to memory of 4920 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 113 PID 3888 wrote to memory of 4920 3888 0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe"C:\Users\Admin\AppData\Local\Temp\0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe"C:\Users\Admin\AppData\Local\Temp\0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe"2⤵
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:884
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:228
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:1804
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 8602⤵
- Program crash
PID:2044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:4560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4836 -ip 48361⤵PID:3688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD52f00a912cb13e3d5cdfef5aecd824069
SHA177eb1f2730d127087e61b7bb88be2827ff8b24a3
SHA256ffd2b0aeb2eb88ac296eb574dd96c4edaa95f6a7a83ffcf30002ee8a244a37e6
SHA5121b88416f3fa4ebe180466973136369bc503dabde1155bc936b30508c2b749664529ca2927a8d076cd5a8d311d1b55b7e08c2cd57df29760e246345eb2c7b3e8c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD53d96daf9d73dde4648550d28ed53430b
SHA18354246d93aa7ac911be747f987e5045c94d40de
SHA256652f8e477c42ce50a268d9fcc37aa43845b0e40d887590bd30005903da61bd9d
SHA5128f8e401d45ee9735984fff4f67e66a8788783301e9a7a3b0fff7b9a0927aea9f93ae8ea9ac810e8bc6071ab15925cd134b7296ee0b6dd0911fd6a0c85c453d74
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56f90b544cb3540317ce5e62e470c4917
SHA1b31820eb0082e46a639446afd9995f6f33d83cd2
SHA2565c09414f9e595377785524a0962c9a7c4da1ad8207d670528169325a89395726
SHA512261e2610199deb0b3075516d9345bfef9ece063e1d43668c893e4025a57e8432a24b09a384d625b75070d509004429335a737f9665f22a2a844cb269a6fc59b0
-
Filesize
4.2MB
MD50865723cd92439d03cbc8f84d2f4adbd
SHA19e6bc45a5748a51e2a835c64c7d1907e6122c533
SHA2560822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa
SHA512375bfc107cc7e0fa7df3b051fcb466edc79f9a38dd03e7dda2793bcfd53a6954dc27837e519b0cedd35981f2a91ffafcab2ba2de43015c59b9a24b84c01f5bdf