Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/04/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe
Resource
win10v2004-20240412-en
General
-
Target
0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe
-
Size
4.2MB
-
MD5
d84397dede99042bb8edc878c1443c5a
-
SHA1
830660be591f0a89704bd90181f4f79863507ed3
-
SHA256
0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9
-
SHA512
73240b71af1fd30a8cf2f62ea30be071c127dcb6b165ca2dc69bfb091188d8b30902a89bfd9ef12c37c59ffe998b7c7643a5fa8799079ec751276940ddc7017b
-
SSDEEP
98304:B00QK3N3Jc8wpX9Ml+P+WnP01raAvqFLRTemOJzdkXGl:TpJcNpX++PyaASVpB6kA
Malware Config
Signatures
-
Glupteba payload 20 IoCs
resource yara_rule behavioral2/memory/4160-2-0x00000000041B0000-0x0000000004A9B000-memory.dmp family_glupteba behavioral2/memory/4160-3-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/4160-41-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/4160-44-0x00000000041B0000-0x0000000004A9B000-memory.dmp family_glupteba behavioral2/memory/4948-45-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/4948-110-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/4948-141-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/280-143-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/280-234-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/280-242-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/280-243-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/280-245-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/280-247-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/280-250-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/280-251-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/280-253-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/280-255-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/280-257-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/280-260-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral2/memory/280-261-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3688 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 280 csrss.exe 2032 injector.exe 2848 windefender.exe 4064 windefender.exe -
resource yara_rule behavioral2/files/0x000200000002a9e7-237.dat upx behavioral2/memory/2848-241-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4064-244-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4064-248-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe File created C:\Windows\rss\csrss.exe 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4360 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4620 2328 WerFault.exe 81 4112 4948 WerFault.exe 89 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 572 schtasks.exe 2500 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2328 powershell.exe 2328 powershell.exe 4160 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 4160 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 1676 powershell.exe 1676 powershell.exe 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 4380 powershell.exe 4380 powershell.exe 3700 powershell.exe 3700 powershell.exe 1792 powershell.exe 1792 powershell.exe 2576 powershell.exe 2576 powershell.exe 2108 powershell.exe 2108 powershell.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 280 csrss.exe 280 csrss.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 280 csrss.exe 280 csrss.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 280 csrss.exe 280 csrss.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe 2032 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 4160 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Token: SeImpersonatePrivilege 4160 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 4380 powershell.exe Token: SeDebugPrivilege 3700 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeSystemEnvironmentPrivilege 280 csrss.exe Token: SeSecurityPrivilege 4360 sc.exe Token: SeSecurityPrivilege 4360 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4160 wrote to memory of 2328 4160 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 81 PID 4160 wrote to memory of 2328 4160 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 81 PID 4160 wrote to memory of 2328 4160 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 81 PID 4948 wrote to memory of 1676 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 90 PID 4948 wrote to memory of 1676 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 90 PID 4948 wrote to memory of 1676 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 90 PID 4948 wrote to memory of 1600 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 92 PID 4948 wrote to memory of 1600 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 92 PID 1600 wrote to memory of 3688 1600 cmd.exe 94 PID 1600 wrote to memory of 3688 1600 cmd.exe 94 PID 4948 wrote to memory of 4380 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 95 PID 4948 wrote to memory of 4380 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 95 PID 4948 wrote to memory of 4380 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 95 PID 4948 wrote to memory of 3700 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 97 PID 4948 wrote to memory of 3700 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 97 PID 4948 wrote to memory of 3700 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 97 PID 4948 wrote to memory of 280 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 99 PID 4948 wrote to memory of 280 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 99 PID 4948 wrote to memory of 280 4948 0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe 99 PID 280 wrote to memory of 1792 280 csrss.exe 102 PID 280 wrote to memory of 1792 280 csrss.exe 102 PID 280 wrote to memory of 1792 280 csrss.exe 102 PID 280 wrote to memory of 2576 280 csrss.exe 107 PID 280 wrote to memory of 2576 280 csrss.exe 107 PID 280 wrote to memory of 2576 280 csrss.exe 107 PID 280 wrote to memory of 2108 280 csrss.exe 110 PID 280 wrote to memory of 2108 280 csrss.exe 110 PID 280 wrote to memory of 2108 280 csrss.exe 110 PID 280 wrote to memory of 2032 280 csrss.exe 112 PID 280 wrote to memory of 2032 280 csrss.exe 112 PID 2848 wrote to memory of 4468 2848 windefender.exe 118 PID 2848 wrote to memory of 4468 2848 windefender.exe 118 PID 2848 wrote to memory of 4468 2848 windefender.exe 118 PID 4468 wrote to memory of 4360 4468 cmd.exe 119 PID 4468 wrote to memory of 4360 4468 cmd.exe 119 PID 4468 wrote to memory of 4360 4468 cmd.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe"C:\Users\Admin\AppData\Local\Temp\0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 23643⤵
- Program crash
PID:4620
-
-
-
C:\Users\Admin\AppData\Local\Temp\0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe"C:\Users\Admin\AppData\Local\Temp\0b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3688
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:572
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:1672
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2032
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2500
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 8283⤵
- Program crash
PID:4112
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2328 -ip 23281⤵PID:4408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4948 -ip 49481⤵PID:2088
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4064
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5cd100e491e7fe067e86907058fcc334a
SHA11d262948e36e25983201aeabc9846fb06a1e6d5b
SHA2569696cfe35286fc9114d0b993e9a0d6ba40ffd01e4b135c404f3f97e39d0428a3
SHA512f465c9af53b62019ca0f95743c2d8c5c96ce2363516765e20ae73925669db7ed902614c53e8720dc0a196043e68b8b5a5e60846e5c504d804f7e50463142bc0e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5d12dbc87ece8d2ab77634395bd609bed
SHA1beb943209d2e04b12c4066392097d36f7573972a
SHA25636d362c0e687a358ac527d8921c1ae3626e68c1bde944315c634d81871db9799
SHA512100847375eda2c6cc45423f8363ea312436841a776ed683c77a82749fff265a8d4915cb4e0f701db501a01b60d2e0b2fc84ab80485fb7e9f447bd39b50ae13fe
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD557d4d90f7700db04d35f5837ed28595a
SHA142f338863b8a1bd85486f937f43766d27b7aa525
SHA256d64484aa33f33c6cb4e9d4451e4966beb20e215cd2274877ac6221f9815b35c7
SHA512b21321a3b2f99a0089333ce5ef6cb05b7392cd879e9e5f23f44de52b3159f79a34d2c8488d06fed22a323d0c25900e2478adda548104528af23baf7e7ee28cd0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD59e4314b20512fead9e15329ee463d6a8
SHA1e887e1614e916c6eba3751957667d812104baa0c
SHA25694892d525dbe672e29c1f7badfaadb916e85a978fac1207cf5afb2bc9e75098f
SHA512ece1bcad7ec24da4a99227805795644f2c0ba446c08bfd72eaa36467ac74c23811af7fdd2c0bdb4cdffcd9b9a97f8bd7f544ea3c77d71a5c449d71043468561f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5f71565b8b6e063d888ae6a946b01b806
SHA196723537bb28226f4cfb0ba217bafe06a895c148
SHA2563b7120956c0d4ac925f0df9479d584227e2605e70950211f3fc1e39ff8d44052
SHA512565913929ff34ae4c823555ac61882ec1fd4238c0e5a14599cdac17dcc98ee690371c927d692abef815ec3fb7dc60d9c9ae14557bc1b29f36452803d544bfc7c
-
Filesize
4.2MB
MD5d84397dede99042bb8edc878c1443c5a
SHA1830660be591f0a89704bd90181f4f79863507ed3
SHA2560b647d445fa52b03f2a345b8ecffa10fd53f5e44a3be69e1290dccb64ece77c9
SHA51273240b71af1fd30a8cf2f62ea30be071c127dcb6b165ca2dc69bfb091188d8b30902a89bfd9ef12c37c59ffe998b7c7643a5fa8799079ec751276940ddc7017b
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec