Analysis
-
max time kernel
147s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 19:26
Static task
static1
Behavioral task
behavioral1
Sample
c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe
Resource
win10v2004-20240226-en
General
-
Target
c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe
-
Size
4.2MB
-
MD5
a7c99d11e0a3f11864ee6b71bf2f4b08
-
SHA1
c50f1b9ddaa06a55e0d6abba687d77a482bb2408
-
SHA256
c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97
-
SHA512
84bfb379a80980fb909b59a4e3a24e922b6d93647f61c77794e5ab09e1d6fcd95f70abf0e9f804742146f3176413aae54267c9bdf52023ab4c548a234c9fea60
-
SSDEEP
98304:TtwUIgr6Tu/hivXD0fl0IvZVjhgp1+mYFjvUcmYnimsjZaHeF:Rw6rquKXDtU1Y2GYniVjUHw
Malware Config
Signatures
-
Glupteba payload 13 IoCs
resource yara_rule behavioral1/memory/392-2-0x0000000004170000-0x0000000004A5B000-memory.dmp family_glupteba behavioral1/memory/392-3-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/392-4-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/392-5-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/392-7-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/392-8-0x0000000004170000-0x0000000004A5B000-memory.dmp family_glupteba behavioral1/memory/392-39-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/392-55-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/3480-73-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/392-101-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/3480-106-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/3480-141-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral1/memory/3480-174-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5096 netsh.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1180 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4640 powershell.exe 4640 powershell.exe 392 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 392 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 4692 powershell.exe 4692 powershell.exe 4692 powershell.exe 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 548 powershell.exe 548 powershell.exe 548 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4640 powershell.exe Token: SeDebugPrivilege 392 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Token: SeImpersonatePrivilege 392 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe Token: SeDebugPrivilege 4692 powershell.exe Token: SeDebugPrivilege 548 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 392 wrote to memory of 4640 392 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 93 PID 392 wrote to memory of 4640 392 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 93 PID 392 wrote to memory of 4640 392 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 93 PID 3480 wrote to memory of 4692 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 105 PID 3480 wrote to memory of 4692 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 105 PID 3480 wrote to memory of 4692 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 105 PID 3480 wrote to memory of 3180 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 107 PID 3480 wrote to memory of 3180 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 107 PID 3180 wrote to memory of 5096 3180 cmd.exe 109 PID 3180 wrote to memory of 5096 3180 cmd.exe 109 PID 3480 wrote to memory of 548 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 110 PID 3480 wrote to memory of 548 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 110 PID 3480 wrote to memory of 548 3480 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe"C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe"C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe"2⤵
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:5096
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:4768
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:2932
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:3192
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1180
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2120
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:1200
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4328 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:1140
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5fe19d077d9758a1110ca6fb959381b2a
SHA1a5067c7a312a8f5e1dcdf514c887c4bb95914453
SHA256bee0f7c695a842f904eb670dd59145f80ae545adf0cd30fe7eb2faf22087b610
SHA51278ce866f8404ea55a0dc2500cb2dd78ddfeb2d9a3b6d8c351d29a010903f36771cd39f1a30504d1de569b01ec788d2d1e346bb99040c3fe8da53c3e0e2d998f1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD59b8f8f2ca284ff2233b2b6b0535d8c54
SHA1937401e7e12df621aeb121311d7b2844c1a66fc8
SHA256176ff6aac4db9b0de175f95e1684f04a7e65821dd582c799e097bad1c0f9da8f
SHA51208a48b98e9a0706541868a57dae715fd676faf94b6822e18101b744076c7d55cc64b4354e7a3832cd098ceaddcfcaf0792e17b8470ceaa7c1b9d0dc1d635627b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD50481eca8ee54e7189373c4416e433e4a
SHA16e5da27b5b7a6a292395360588b0f5034b21d66d
SHA2566873738fb83dfc6be82dfe94e7883dae8a44fd51b394eab1b55530822b143818
SHA512af7a61b34a2316d5bb8f31d388ccdfae6bb1ddf047005d5327915d09ecb1674b95194a5880afd498a91c1db7e852022cb4f0f846e4ec28cde90fcf71b5a43c00
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5b89416c851d81b0349ad16367965b0a8
SHA1602b54aa8610df4f999cc0712d9c3222e55c17da
SHA256ea6bf4b296e8a80927371ab79e3a6c38991e0b50d7370a95801134f7a512b8cb
SHA512aaad4c99dc5891ab8b4c90d936e58347e07a401ed423b89753ab735157efa172a7aaf5c74a1a3c4f230d39133b2a25e054ee1869b7893d11a9e2a2c76a592a7e
-
Filesize
4.2MB
MD5a7c99d11e0a3f11864ee6b71bf2f4b08
SHA1c50f1b9ddaa06a55e0d6abba687d77a482bb2408
SHA256c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97
SHA51284bfb379a80980fb909b59a4e3a24e922b6d93647f61c77794e5ab09e1d6fcd95f70abf0e9f804742146f3176413aae54267c9bdf52023ab4c548a234c9fea60