glupteba | c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Size

4.1MB
MD5

641c4f0c0832d5db7edfd312d1ea4866
SHA1

ae2385ea5b5bd0c1522bab9fe2f40a07c7afc8f4
SHA256

c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb
SHA512

8484210d67127f49ea2e89ff473a350aee949480acbd64108c90d0cf7896893956a8359c1dbe8bd87b4acb0eb511a87a3670a2a4e4636464336617cf16d42358
SSDEEP

98304:wupp3WUkLaIVxVQ5Lfi8+DAGSBgUwbhlmIRT0sLJ5J:t24wrgi8oddlbb

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 37 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2904-3-0x0000000003FB0000-0x000000000489C000-memory.dmp	family_glupteba
behavioral1/memory/1084-2-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1084-5-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1084-7-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1084-6-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1084-8-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1084-9-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1084-10-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1084-52-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3388-63-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3388-66-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3388-65-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3388-64-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3388-67-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3388-105-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3388-138-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3388-166-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-182-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-183-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-184-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-185-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-212-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-276-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-277-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-278-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-287-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-289-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-291-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-293-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-295-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-297-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-299-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-301-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-303-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-305-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-307-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/336-309-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4404 netsh.exe
Executes dropped EXE 5 IoCs

Processes:

csrss.execsrss.exeinjector.exewindefender.exewindefender.exe

pid process

2932 csrss.exe
336 csrss.exe
2736 injector.exe
3852 windefender.exe
3232 windefender.exe

pid	process
4404	netsh.exe

pid	process
2932	csrss.exe
336	csrss.exe
2736	injector.exe
3852	windefender.exe
3232	windefender.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral1/memory/3852-286-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/3232-288-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/3232-292-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

csrss.exec80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exec80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.execsrss.exe

description	pid	process	target process
PID 2904 set thread context of 1084	2904	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 3732 set thread context of 3388	3732	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 2932 set thread context of 336	2932	csrss.exe	csrss.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe

Drops file in Windows directory 4 IoCs

Processes:

csrss.exec80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe

description	ioc	process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
File created	C:\Windows\rss\csrss.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3960 sc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4972 2676 WerFault.exe powershell.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2980 schtasks.exe
3872 schtasks.exe

pid	process
3960	sc.exe

pid	pid_target	process	target process
4972	2676	WerFault.exe	powershell.exe

pid	process
2980	schtasks.exe
3872	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exepowershell.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	windefender.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exec80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exepowershell.exec80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exe

pid	process
2676	powershell.exe
2676	powershell.exe
1084	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
1084	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe
3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe
4576	powershell.exe
4576	powershell.exe
4576	powershell.exe
2380	powershell.exe
2380	powershell.exe
2380	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
336	csrss.exe
336	csrss.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
336	csrss.exe
336	csrss.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
336	csrss.exe
336	csrss.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe
2736	injector.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exec80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exe

description	pid	process
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1084	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Token: SeImpersonatePrivilege	1084	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeSystemEnvironmentPrivilege	336	csrss.exe
Token: SeSecurityPrivilege	3960	sc.exe
Token: SeSecurityPrivilege	3960	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exec80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exec80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exec80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.execmd.execsrss.execsrss.exewindefender.exe

description	pid	process	target process
PID 2904 wrote to memory of 1084	2904	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 2904 wrote to memory of 1084	2904	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 2904 wrote to memory of 1084	2904	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 2904 wrote to memory of 1084	2904	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 2904 wrote to memory of 1084	2904	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 2904 wrote to memory of 1084	2904	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 2904 wrote to memory of 1084	2904	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 2904 wrote to memory of 1084	2904	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 2904 wrote to memory of 1084	2904	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 2904 wrote to memory of 1084	2904	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 2904 wrote to memory of 1084	2904	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 1084 wrote to memory of 2676	1084	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	powershell.exe
PID 1084 wrote to memory of 2676	1084	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	powershell.exe
PID 1084 wrote to memory of 2676	1084	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	powershell.exe
PID 3732 wrote to memory of 3388	3732	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 3732 wrote to memory of 3388	3732	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 3732 wrote to memory of 3388	3732	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 3732 wrote to memory of 3388	3732	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 3732 wrote to memory of 3388	3732	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 3732 wrote to memory of 3388	3732	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 3732 wrote to memory of 3388	3732	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 3732 wrote to memory of 3388	3732	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 3732 wrote to memory of 3388	3732	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 3732 wrote to memory of 3388	3732	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 3732 wrote to memory of 3388	3732	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
PID 3388 wrote to memory of 2376	3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	powershell.exe
PID 3388 wrote to memory of 2376	3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	powershell.exe
PID 3388 wrote to memory of 2376	3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	powershell.exe
PID 3388 wrote to memory of 2080	3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	cmd.exe
PID 3388 wrote to memory of 2080	3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	cmd.exe
PID 2080 wrote to memory of 4404	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 4404	2080	cmd.exe	netsh.exe
PID 3388 wrote to memory of 2560	3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	powershell.exe
PID 3388 wrote to memory of 2560	3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	powershell.exe
PID 3388 wrote to memory of 2560	3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	powershell.exe
PID 3388 wrote to memory of 4576	3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	powershell.exe
PID 3388 wrote to memory of 4576	3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	powershell.exe
PID 3388 wrote to memory of 4576	3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	powershell.exe
PID 3388 wrote to memory of 2932	3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	csrss.exe
PID 3388 wrote to memory of 2932	3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	csrss.exe
PID 3388 wrote to memory of 2932	3388	c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe	csrss.exe
PID 2932 wrote to memory of 336	2932	csrss.exe	csrss.exe
PID 2932 wrote to memory of 336	2932	csrss.exe	csrss.exe
PID 2932 wrote to memory of 336	2932	csrss.exe	csrss.exe
PID 2932 wrote to memory of 336	2932	csrss.exe	csrss.exe
PID 2932 wrote to memory of 336	2932	csrss.exe	csrss.exe
PID 2932 wrote to memory of 336	2932	csrss.exe	csrss.exe
PID 2932 wrote to memory of 336	2932	csrss.exe	csrss.exe
PID 2932 wrote to memory of 336	2932	csrss.exe	csrss.exe
PID 2932 wrote to memory of 336	2932	csrss.exe	csrss.exe
PID 2932 wrote to memory of 336	2932	csrss.exe	csrss.exe
PID 2932 wrote to memory of 336	2932	csrss.exe	csrss.exe
PID 336 wrote to memory of 2380	336	csrss.exe	powershell.exe
PID 336 wrote to memory of 2380	336	csrss.exe	powershell.exe
PID 336 wrote to memory of 2380	336	csrss.exe	powershell.exe
PID 336 wrote to memory of 4476	336	csrss.exe	powershell.exe
PID 336 wrote to memory of 4476	336	csrss.exe	powershell.exe
PID 336 wrote to memory of 4476	336	csrss.exe	powershell.exe
PID 336 wrote to memory of 3696	336	csrss.exe	powershell.exe
PID 336 wrote to memory of 3696	336	csrss.exe	powershell.exe
PID 336 wrote to memory of 3696	336	csrss.exe	powershell.exe
PID 336 wrote to memory of 2736	336	csrss.exe	injector.exe
PID 336 wrote to memory of 2736	336	csrss.exe	injector.exe
PID 3852 wrote to memory of 3440	3852	windefender.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
"C:\Users\Admin\AppData\Local\Temp\c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2904

C:\Users\Admin\AppData\Local\Temp\c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
"C:\Users\Admin\AppData\Local\Temp\c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 2572
4⤵
- Program crash
PID:4972

C:\Users\Admin\AppData\Local\Temp\c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
"C:\Users\Admin\AppData\Local\Temp\c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe
"C:\Users\Admin\AppData\Local\Temp\c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb.exe"
4⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:4404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:2980

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:3004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:3872

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
PID:3440

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2676 -ip 2676
1⤵
PID:2068

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbjqngzq.i5q.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
6c94407cc20d42677cb691be3a751334

SHA1
2a0fc4101031d8e5cc560ea03774fe448447673e

SHA256
c660d5ec29c7319a779418b2e18ae8ed2a316c3d2ec778c1a0550390c97b1658

SHA512
fa6dd7112b2667aa459387997b419913d0809c9ca2ac867e8f9554c6318db5c4e0eece53ab440e903b9ac30a51406de2aa08b9374fb11932bf36b02d7dbf2999

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
802d6e15825b16684912bec057fdc779

SHA1
50058d8e8780bbc76c1b422f100739e1f04e97a6

SHA256
79fd4049605b6671e2e25373bcb6f9e8ae8df2b150008a1b0163b48de281b55d

SHA512
b0fb82a84ad0816b340ad340e4c0253a5f12e1971bc1efcc93d03156e6f82dd5f79cdf930a55c68f055f547cc6b51e4fb33fdc505aac028a116891deaf786ec5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
cb48a0b83b210a3bd3a0cd5f6a6e6048

SHA1
a163e9a1c7bc1ef9de884c0aecd3f6b656963a39

SHA256
f0c021ab59f458cd7c908a1a453a9c0be9c2268039674cb4636f235dd3886e8c

SHA512
07b4ed5a3a473b8113b3747c887ad998425d12f5c2b6cd311377f81b3289b6ceff6c4da6b7e9cc3c650843f7ee88683d738f5f71d24d2e91b1adabc06b3f168b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
097720028e3773f0423b9f5a9043f2af

SHA1
81194d7b19659d8f61d79ac612edff9f63b48459

SHA256
6a06c43bbb81c52af8b10d95404a45cd32e70ea582a312cfad60bdc9f1baa90e

SHA512
856b7396ae043a4230b05a69b757453a6460068ad246f5abcbb79997469c540a256ece2795e26a9e58019ad73e5f97a75bd3092a8d76ab3df5523174f0bc2356

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
24b59b3b4854c06ccfb44a098d60c177

SHA1
b7f97f3bb79097e43a362d7422e1d59c683802e4

SHA256
19a89220d96fa30325273772e816e4e5ed37406a422a4a63fa87ee79272bd90b

SHA512
1da877fc2f7d01a045fa44c5d78d468c0865c0e5a28f8e4de80e6731072d3fc96221d872dbd6552daa478a6d58e92a4e4cea3d80a1bc4f1eb9fdc8b9925d3f88

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
641c4f0c0832d5db7edfd312d1ea4866

SHA1
ae2385ea5b5bd0c1522bab9fe2f40a07c7afc8f4

SHA256
c80f34dcc7c1439b496d5bc0029f04bc5e16af4a1d87d14a0797da2094404efb

SHA512
8484210d67127f49ea2e89ff473a350aee949480acbd64108c90d0cf7896893956a8359c1dbe8bd87b4acb0eb511a87a3670a2a4e4636464336617cf16d42358

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/336-307-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-277-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-301-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-299-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-297-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-295-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-305-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-293-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-291-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-289-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-287-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-309-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-278-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-303-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-276-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-182-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-183-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-184-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/336-185-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1084-7-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1084-6-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1084-8-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1084-52-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1084-9-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1084-5-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1084-2-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1084-10-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2376-100-0x0000000007320000-0x000000000733A000-memory.dmp

Filesize
104KB

Download
memory/2376-97-0x0000000007290000-0x00000000072A1000-memory.dmp

Filesize
68KB

Download
memory/2376-70-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2376-69-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2376-68-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-72-0x0000000005710000-0x0000000005A64000-memory.dmp

Filesize
3.3MB

Download
memory/2376-81-0x0000000005E00000-0x0000000005E4C000-memory.dmp

Filesize
304KB

Download
memory/2376-84-0x0000000071590000-0x00000000718E4000-memory.dmp

Filesize
3.3MB

Download
memory/2376-94-0x0000000006F80000-0x0000000007023000-memory.dmp

Filesize
652KB

Download
memory/2376-95-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2376-83-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

Filesize
304KB

Download
memory/2376-82-0x000000007FBF0000-0x000000007FC00000-memory.dmp

Filesize
64KB

Download
memory/2376-96-0x0000000007370000-0x0000000007406000-memory.dmp

Filesize
600KB

Download
memory/2376-104-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-98-0x00000000072D0000-0x00000000072DE000-memory.dmp

Filesize
56KB

Download
memory/2376-99-0x00000000072E0000-0x00000000072F4000-memory.dmp

Filesize
80KB

Download
memory/2376-101-0x0000000007310000-0x0000000007318000-memory.dmp

Filesize
32KB

Download
memory/2560-134-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/2560-121-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

Filesize
304KB

Download
memory/2560-132-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/2560-120-0x000000007FC50000-0x000000007FC60000-memory.dmp

Filesize
64KB

Download
memory/2560-109-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/2560-108-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/2560-107-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/2560-122-0x0000000071590000-0x00000000718E4000-memory.dmp

Filesize
3.3MB

Download
memory/2676-33-0x00000000076C0000-0x0000000007D3A000-memory.dmp

Filesize
6.5MB

Download
memory/2676-29-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

Filesize
120KB

Download
memory/2676-11-0x00000000046E0000-0x0000000004716000-memory.dmp

Filesize
216KB

Download
memory/2676-12-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/2676-13-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/2676-14-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/2676-15-0x0000000004D50000-0x0000000005378000-memory.dmp

Filesize
6.2MB

Download
memory/2676-16-0x0000000004CE0000-0x0000000004D02000-memory.dmp

Filesize
136KB

Download
memory/2676-17-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/2676-18-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/2676-28-0x00000000057C0000-0x0000000005B14000-memory.dmp

Filesize
3.3MB

Download
memory/2676-30-0x0000000005D00000-0x0000000005D4C000-memory.dmp

Filesize
304KB

Download
memory/2676-31-0x0000000006240000-0x0000000006284000-memory.dmp

Filesize
272KB

Download
memory/2676-32-0x0000000006FC0000-0x0000000007036000-memory.dmp

Filesize
472KB

Download
memory/2676-34-0x0000000007070000-0x000000000708A000-memory.dmp

Filesize
104KB

Download
memory/2676-35-0x000000007F7A0000-0x000000007F7B0000-memory.dmp

Filesize
64KB

Download
memory/2676-36-0x0000000007230000-0x0000000007262000-memory.dmp

Filesize
200KB

Download
memory/2676-37-0x0000000070D90000-0x0000000070DDC000-memory.dmp

Filesize
304KB

Download
memory/2676-38-0x0000000070F10000-0x0000000071264000-memory.dmp

Filesize
3.3MB

Download
memory/2676-51-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/2676-50-0x0000000007380000-0x000000000738A000-memory.dmp

Filesize
40KB

Download
memory/2676-48-0x0000000007270000-0x000000000728E000-memory.dmp

Filesize
120KB

Download
memory/2676-49-0x0000000007290000-0x0000000007333000-memory.dmp

Filesize
652KB

Download
memory/2904-3-0x0000000003FB0000-0x000000000489C000-memory.dmp

Filesize
8.9MB

Download
memory/2904-1-0x0000000003BA0000-0x0000000003FA8000-memory.dmp

Filesize
4.0MB

Download
memory/2932-176-0x0000000003E00000-0x0000000004200000-memory.dmp

Filesize
4.0MB

Download
memory/3232-288-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3232-292-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3388-138-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3388-166-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3388-64-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3388-105-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3388-65-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3388-66-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3388-67-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3388-63-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3732-59-0x0000000003900000-0x0000000003CFF000-memory.dmp

Filesize
4.0MB

Download
memory/3852-286-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4576-148-0x00000000061A0000-0x00000000064F4000-memory.dmp

Filesize
3.3MB

Download
memory/4576-137-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download
memory/4576-136-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download
memory/4576-135-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/4576-152-0x0000000071510000-0x0000000071864000-memory.dmp

Filesize
3.3MB

Download
memory/4576-163-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/4576-150-0x000000007F250000-0x000000007F260000-memory.dmp

Filesize
64KB

Download
memory/4576-151-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

Filesize
304KB

Download