Analysis
-
max time kernel
13s -
max time network
17s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/04/2024, 19:27
Static task
static1
Behavioral task
behavioral1
Sample
0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe
Resource
win11-20240412-en
General
-
Target
0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe
-
Size
4.2MB
-
MD5
f1d83f9e7fbab49bf3dbef1f48b957df
-
SHA1
22241766378b8dddefc21bf0d92bd3437004f090
-
SHA256
0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab
-
SHA512
7e9462192049374219d806120e66d61d81e483dc0ead0704f810a457de93897338dfecd22f695ee42a4aeb4e3cd2fa6384635d29d6bfc9d9b0ed960382201d02
-
SSDEEP
98304:jtwUIgr6Tu/hivXD0fl0IvZVjhgp1+mYFjvUcmYnimsjZaHei:Bw6rquKXDtU1Y2GYniVjUHH
Malware Config
Signatures
-
Glupteba payload 8 IoCs
resource yara_rule behavioral2/memory/2796-2-0x0000000004110000-0x00000000049FB000-memory.dmp family_glupteba behavioral2/memory/2796-3-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral2/memory/2796-52-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral2/memory/4044-54-0x0000000004130000-0x0000000004A1B000-memory.dmp family_glupteba behavioral2/memory/2796-55-0x0000000004110000-0x00000000049FB000-memory.dmp family_glupteba behavioral2/memory/4044-56-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral2/memory/4044-137-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba behavioral2/memory/4044-145-0x0000000000400000-0x0000000001E08000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1976 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 4212 csrss.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\rss 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe File created C:\Windows\rss\csrss.exe 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4744 2796 WerFault.exe 78 -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3516 powershell.exe 3516 powershell.exe 2796 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 2796 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 772 powershell.exe 772 powershell.exe 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 688 powershell.exe 688 powershell.exe 3460 powershell.exe 3460 powershell.exe 4004 powershell.exe 4004 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 3516 powershell.exe Token: SeDebugPrivilege 2796 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Token: SeImpersonatePrivilege 2796 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe Token: SeDebugPrivilege 772 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeDebugPrivilege 3460 powershell.exe Token: SeDebugPrivilege 4004 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2796 wrote to memory of 3516 2796 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 81 PID 2796 wrote to memory of 3516 2796 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 81 PID 2796 wrote to memory of 3516 2796 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 81 PID 4044 wrote to memory of 772 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 90 PID 4044 wrote to memory of 772 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 90 PID 4044 wrote to memory of 772 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 90 PID 4044 wrote to memory of 3660 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 92 PID 4044 wrote to memory of 3660 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 92 PID 3660 wrote to memory of 1976 3660 cmd.exe 94 PID 3660 wrote to memory of 1976 3660 cmd.exe 94 PID 4044 wrote to memory of 688 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 95 PID 4044 wrote to memory of 688 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 95 PID 4044 wrote to memory of 688 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 95 PID 4044 wrote to memory of 3460 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 97 PID 4044 wrote to memory of 3460 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 97 PID 4044 wrote to memory of 3460 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 97 PID 4044 wrote to memory of 4212 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 99 PID 4044 wrote to memory of 4212 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 99 PID 4044 wrote to memory of 4212 4044 0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe 99 PID 4212 wrote to memory of 4004 4212 csrss.exe 100 PID 4212 wrote to memory of 4004 4212 csrss.exe 100 PID 4212 wrote to memory of 4004 4212 csrss.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe"C:\Users\Admin\AppData\Local\Temp\0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
-
C:\Users\Admin\AppData\Local\Temp\0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe"C:\Users\Admin\AppData\Local\Temp\0702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1976
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 10042⤵
- Program crash
PID:4744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2796 -ip 27961⤵PID:2412
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c0f5a402458ff2b6b4c43cc0a23225c3
SHA1e2a6ee91caeadb4e435b622d6cb1cc0bff647ea6
SHA256a93b4fa736b783795545ef357a05044adad80b42966f6cd082201f93ed43912e
SHA5126d520161f89d00c4979e1b86a5ee6ca978d3a9b35588e28eb94893022cd4b889c7f990778f37d7caf69d02b1576a20ac57a433ed4a2d4ce040e4decd65f037a0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD552197caed2a7bab6323206c79071455d
SHA14aae89ee5b06fd0274bb463ebc197ff8cb7da5fb
SHA2569d11371a297154fa51956cd063c83e432fe124c2eb5c58f23e37f4aecbe25e17
SHA512bf25d9f192fb769500f525ebee7ee1f670387b9e432907572c5009537c9f9913d22e6ccfc7d7ecf7553fa2fb939fbe02235da287e235bcf5c353677f61ead562
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56980f281250a491ed35d7d6c14b3643f
SHA1bf0ef19b1d3208ddc9b7d377e36ba4b7c7d4eefd
SHA2567f801c0db785068092a9572fea2214647028e8da3657d25e785fcfba50334b3e
SHA5121a577e603a1ff1a39865862f44195dc87de8fe00dd9f0b72269a558a67ad964d12499eabf9762bd0d3e704916534f6af7b7b1d43ca7c7c895f634c059ab0cec2
-
Filesize
4.2MB
MD5f1d83f9e7fbab49bf3dbef1f48b957df
SHA122241766378b8dddefc21bf0d92bd3437004f090
SHA2560702ab28c753661d7e4fc873f15e2954fc1dca1b604cada322ed8df4bca51bab
SHA5127e9462192049374219d806120e66d61d81e483dc0ead0704f810a457de93897338dfecd22f695ee42a4aeb4e3cd2fa6384635d29d6bfc9d9b0ed960382201d02