Analysis
-
max time kernel
128s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 20:06
Static task
static1
Behavioral task
behavioral1
Sample
b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe
Resource
win10v2004-20240226-en
General
-
Target
b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe
-
Size
4.2MB
-
MD5
7811f765982ff3ca394c88179e364f11
-
SHA1
25b4250522b4e48cc6c3c8cfd48242e7441f4bf4
-
SHA256
b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d
-
SHA512
02c7109a9ec34435feab5108687b01dedb8b14de492e8a3fa47dda55a4d0b9dff982932e16642c96696d30a82a89376bed0951f6a61dcbc4c3a9fe4d1aeae7cd
-
SSDEEP
98304:B00QK3N3Jc8wpX9Ml+P+WnP01raAvqFLRTemOJzdkXG2:TpJcNpX++PyaASVpB6kP
Malware Config
Signatures
-
Glupteba payload 16 IoCs
resource yara_rule behavioral1/memory/3080-2-0x0000000004170000-0x0000000004A5B000-memory.dmp family_glupteba behavioral1/memory/3080-3-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral1/memory/3080-4-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral1/memory/3080-6-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral1/memory/3080-10-0x0000000004170000-0x0000000004A5B000-memory.dmp family_glupteba behavioral1/memory/3080-38-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral1/memory/3080-63-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral1/memory/3060-69-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral1/memory/3080-84-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral1/memory/3060-103-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral1/memory/3060-119-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral1/memory/3060-152-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral1/memory/3060-172-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral1/memory/3968-207-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral1/memory/3968-267-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba behavioral1/memory/3968-275-0x0000000000400000-0x0000000001E06000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3336 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 3968 csrss.exe -
resource yara_rule behavioral1/files/0x0004000000000749-278.dat upx behavioral1/memory/3836-282-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\rss b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe File created C:\Windows\rss\csrss.exe b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3044 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3776 3080 WerFault.exe 89 3108 3060 WerFault.exe 102 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3652 schtasks.exe 4452 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 4548 powershell.exe 4548 powershell.exe 4548 powershell.exe 3080 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 3080 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 4672 powershell.exe 4672 powershell.exe 4672 powershell.exe 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 5100 powershell.exe 5100 powershell.exe 5100 powershell.exe 3644 powershell.exe 3644 powershell.exe 3644 powershell.exe 2320 powershell.exe 2320 powershell.exe 2320 powershell.exe 2960 powershell.exe 2960 powershell.exe 2960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4548 powershell.exe Token: SeDebugPrivilege 3080 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Token: SeImpersonatePrivilege 3080 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe Token: SeDebugPrivilege 4672 powershell.exe Token: SeDebugPrivilege 5100 powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 2960 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3080 wrote to memory of 4548 3080 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 91 PID 3080 wrote to memory of 4548 3080 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 91 PID 3080 wrote to memory of 4548 3080 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 91 PID 3060 wrote to memory of 4672 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 105 PID 3060 wrote to memory of 4672 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 105 PID 3060 wrote to memory of 4672 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 105 PID 3060 wrote to memory of 4784 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 108 PID 3060 wrote to memory of 4784 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 108 PID 4784 wrote to memory of 3336 4784 cmd.exe 110 PID 4784 wrote to memory of 3336 4784 cmd.exe 110 PID 3060 wrote to memory of 5100 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 111 PID 3060 wrote to memory of 5100 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 111 PID 3060 wrote to memory of 5100 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 111 PID 3060 wrote to memory of 3644 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 113 PID 3060 wrote to memory of 3644 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 113 PID 3060 wrote to memory of 3644 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 113 PID 3060 wrote to memory of 3968 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 115 PID 3060 wrote to memory of 3968 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 115 PID 3060 wrote to memory of 3968 3060 b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe 115 PID 3968 wrote to memory of 2320 3968 csrss.exe 118 PID 3968 wrote to memory of 2320 3968 csrss.exe 118 PID 3968 wrote to memory of 2320 3968 csrss.exe 118 PID 3968 wrote to memory of 2960 3968 csrss.exe 124 PID 3968 wrote to memory of 2960 3968 csrss.exe 124 PID 3968 wrote to memory of 2960 3968 csrss.exe 124 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe"C:\Users\Admin\AppData\Local\Temp\b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
-
C:\Users\Admin\AppData\Local\Temp\b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe"C:\Users\Admin\AppData\Local\Temp\b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3336
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3652
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:3292
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:3136
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:2164
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4452
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:3836
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:4296
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:3044
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 7803⤵
- Program crash
PID:3108
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 8682⤵
- Program crash
PID:3776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:2896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3080 -ip 30801⤵PID:4680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3060 -ip 30601⤵PID:1324
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:1136
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD595bcd8b2eed118d5665ca422932d6970
SHA196fd70fc4c523d7cc3ae50562ae73fdc61e79b47
SHA256f714b83f1253ad98448158324dcf6d31e1702b69d33c40c999b18274f5284906
SHA512fda1d3c4abebf677fe448d0b1e9f61c4a0b79dd3df7508ea76b83284ab0e8dcd8155d063d5b024b629dfc1cf82abcc1e4404d466e26f1175a43d35be31a3fbb7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD521eb6cefc3e5c1138ae2406f893273b8
SHA1cb1107707886d71f2fa0c49096255a11046a4c64
SHA256655542fecb3c757249449689060ce766355852eb223bb9aeda2007271c9d0687
SHA5125d88af5d7100542dc0c4601da64e6dffc76baecaa758578de4b716641c91da14e32ad29e063a829a99e260361c11456b18decd0deadad6fdb2adb916e9c4df52
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a080cf66771118656e44c63e1ce49e16
SHA17e71f8c9ed8b9e3bd74863d7fdbe3f344e9160fd
SHA256691042dfa9bdd902b6a97be4e6d2a9e23223c22797070d4ad3832089450fd2ac
SHA5128281954b8e19a0cd40b8b1b14d067614432f583bc756f6d899b7bb8d02191321a9a7b87bb0cda8c5c1db01a003fb3166acbdcd1980fb9480bd163d87f8e7c592
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD50475c4bf8a38bcf471bdb260976498d0
SHA1a70191365f3677259269429b9e39494ad6f30428
SHA25630c458ea9d3928065b5bbd6bf7e1a144191c63446bf5f50d98590994b9422698
SHA5124aea4f816b44ba86cabbf6121c27ba10e8a569ca0cfaa0720d44fe08aaa175b17333b0dae91e8a85c38e56bdd13d052af34f95af88dcd0396d3ce0c33a1f6657
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD52b0f0928e921fcfa51626f3169f11af9
SHA1bdae5ad50bb4175e1bde35089f2ce5f9f52e3b2e
SHA25661e6830e80dbfa54c4d49568d2ae3c2e4de986cd1a6ce89a58e460009ce22dc7
SHA512e890543d8871b21fb788a44f6cc2d8b01534e4641376f8d6c71ac071def086d5fdf1d001eae14064071195154935ce9f556d6e243fe95bd85c0080509af2ce5e
-
Filesize
4.2MB
MD57811f765982ff3ca394c88179e364f11
SHA125b4250522b4e48cc6c3c8cfd48242e7441f4bf4
SHA256b7cee9edcee16f74545953fc104e2d3841852fc000fac7acf439f2fdc224d70d
SHA51202c7109a9ec34435feab5108687b01dedb8b14de492e8a3fa47dda55a4d0b9dff982932e16642c96696d30a82a89376bed0951f6a61dcbc4c3a9fe4d1aeae7cd
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec