glupteba | 25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
21-04-2024 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Size

4.1MB
MD5

2d075e4be9e93a93169625a674513be0
SHA1

4d00218e067be5a6345b2b4e47ffb5586cbf8c45
SHA256

25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2
SHA512

ac2681c303f9145749c902ca36a1f2b6d299b591cd68970d33a883a43d79d9bac5d881c6e84b18117bcf4510cf20f95a9a3a708430155a99bb9efab8d973dfb0
SSDEEP

98304:oupp3WUkLaIVxVQ5Lfi8+DAGSBgUwbhlmIRT0sLJ5D:l24wrgi8oddlbJ

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 36 IoCs

Processes:

resource	yara_rule
behavioral2/memory/416-2-0x00000000041A0000-0x0000000004A8C000-memory.dmp	family_glupteba
behavioral2/memory/4588-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4588-5-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4588-6-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4588-7-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4588-8-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4588-9-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4588-57-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3264-68-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3264-69-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3264-70-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3264-71-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3264-72-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3264-145-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3264-161-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-175-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-177-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-178-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-179-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-205-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-206-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-272-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-273-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-274-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-283-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-285-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-287-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-289-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-291-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-293-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-295-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-297-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-299-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-301-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-303-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3140-305-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2684 netsh.exe
Executes dropped EXE 5 IoCs

Processes:

csrss.execsrss.exeinjector.exewindefender.exewindefender.exe

pid process

4920 csrss.exe
3140 csrss.exe
2144 injector.exe
1532 windefender.exe
2056 windefender.exe

pid	process
2684	netsh.exe

pid	process
4920	csrss.exe
3140	csrss.exe
2144	injector.exe
1532	windefender.exe
2056	windefender.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral2/memory/1532-282-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2056-284-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2056-288-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2056-294-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.execsrss.exe

description	pid	process	target process
PID 416 set thread context of 4588	416	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 688 set thread context of 3264	688	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 4920 set thread context of 3140	4920	csrss.exe	csrss.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe

Drops file in Windows directory 4 IoCs

Processes:

25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
File created	C:\Windows\rss\csrss.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

940 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5064 schtasks.exe
3580 schtasks.exe

pid	process
940	sc.exe

pid	process
5064	schtasks.exe
3580	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exepowershell.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exepowershell.exe25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exe

pid	process
956	powershell.exe
956	powershell.exe
4588	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
4588	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
3284	powershell.exe
3284	powershell.exe
3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
3512	powershell.exe
3512	powershell.exe
2112	powershell.exe
2112	powershell.exe
1592	powershell.exe
1592	powershell.exe
1056	powershell.exe
1056	powershell.exe
3016	powershell.exe
3016	powershell.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
3140	csrss.exe
3140	csrss.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
3140	csrss.exe
3140	csrss.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
3140	csrss.exe
3140	csrss.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe
2144	injector.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exe25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exe

description	pid	process
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	4588	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Token: SeImpersonatePrivilege	4588	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeSystemEnvironmentPrivilege	3140	csrss.exe
Token: SeSecurityPrivilege	940	sc.exe
Token: SeSecurityPrivilege	940	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.execmd.execsrss.execsrss.exewindefender.exe

description	pid	process	target process
PID 416 wrote to memory of 4588	416	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 416 wrote to memory of 4588	416	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 416 wrote to memory of 4588	416	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 416 wrote to memory of 4588	416	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 416 wrote to memory of 4588	416	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 416 wrote to memory of 4588	416	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 416 wrote to memory of 4588	416	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 416 wrote to memory of 4588	416	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 416 wrote to memory of 4588	416	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 416 wrote to memory of 4588	416	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 416 wrote to memory of 4588	416	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 4588 wrote to memory of 956	4588	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	powershell.exe
PID 4588 wrote to memory of 956	4588	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	powershell.exe
PID 4588 wrote to memory of 956	4588	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	powershell.exe
PID 688 wrote to memory of 3264	688	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 688 wrote to memory of 3264	688	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 688 wrote to memory of 3264	688	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 688 wrote to memory of 3264	688	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 688 wrote to memory of 3264	688	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 688 wrote to memory of 3264	688	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 688 wrote to memory of 3264	688	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 688 wrote to memory of 3264	688	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 688 wrote to memory of 3264	688	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 688 wrote to memory of 3264	688	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 688 wrote to memory of 3264	688	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
PID 3264 wrote to memory of 3284	3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	powershell.exe
PID 3264 wrote to memory of 3284	3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	powershell.exe
PID 3264 wrote to memory of 3284	3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	powershell.exe
PID 3264 wrote to memory of 1804	3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	Conhost.exe
PID 3264 wrote to memory of 1804	3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	Conhost.exe
PID 1804 wrote to memory of 2684	1804	cmd.exe	netsh.exe
PID 1804 wrote to memory of 2684	1804	cmd.exe	netsh.exe
PID 3264 wrote to memory of 3512	3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	powershell.exe
PID 3264 wrote to memory of 3512	3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	powershell.exe
PID 3264 wrote to memory of 3512	3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	powershell.exe
PID 3264 wrote to memory of 2112	3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	powershell.exe
PID 3264 wrote to memory of 2112	3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	powershell.exe
PID 3264 wrote to memory of 2112	3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	powershell.exe
PID 3264 wrote to memory of 4920	3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	csrss.exe
PID 3264 wrote to memory of 4920	3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	csrss.exe
PID 3264 wrote to memory of 4920	3264	25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe	csrss.exe
PID 4920 wrote to memory of 3140	4920	csrss.exe	csrss.exe
PID 4920 wrote to memory of 3140	4920	csrss.exe	csrss.exe
PID 4920 wrote to memory of 3140	4920	csrss.exe	csrss.exe
PID 4920 wrote to memory of 3140	4920	csrss.exe	csrss.exe
PID 4920 wrote to memory of 3140	4920	csrss.exe	csrss.exe
PID 4920 wrote to memory of 3140	4920	csrss.exe	csrss.exe
PID 4920 wrote to memory of 3140	4920	csrss.exe	csrss.exe
PID 4920 wrote to memory of 3140	4920	csrss.exe	csrss.exe
PID 4920 wrote to memory of 3140	4920	csrss.exe	csrss.exe
PID 4920 wrote to memory of 3140	4920	csrss.exe	csrss.exe
PID 4920 wrote to memory of 3140	4920	csrss.exe	csrss.exe
PID 3140 wrote to memory of 1592	3140	csrss.exe	powershell.exe
PID 3140 wrote to memory of 1592	3140	csrss.exe	powershell.exe
PID 3140 wrote to memory of 1592	3140	csrss.exe	powershell.exe
PID 3140 wrote to memory of 1056	3140	csrss.exe	powershell.exe
PID 3140 wrote to memory of 1056	3140	csrss.exe	powershell.exe
PID 3140 wrote to memory of 1056	3140	csrss.exe	powershell.exe
PID 3140 wrote to memory of 3016	3140	csrss.exe	powershell.exe
PID 3140 wrote to memory of 3016	3140	csrss.exe	powershell.exe
PID 3140 wrote to memory of 3016	3140	csrss.exe	powershell.exe
PID 3140 wrote to memory of 2144	3140	csrss.exe	injector.exe
PID 3140 wrote to memory of 2144	3140	csrss.exe	injector.exe
PID 1532 wrote to memory of 1568	1532	windefender.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
"C:\Users\Admin\AppData\Local\Temp\25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:416

C:\Users\Admin\AppData\Local\Temp\25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
"C:\Users\Admin\AppData\Local\Temp\25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Users\Admin\AppData\Local\Temp\25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
"C:\Users\Admin\AppData\Local\Temp\25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Local\Temp\25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe
"C:\Users\Admin\AppData\Local\Temp\25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2.exe"
4⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:5064

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:2468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:1804

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:3580

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
PID:1568

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jtxorza5.qee.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
a417fe6992a91d2edc70b2518a3ef8db

SHA1
3a44fd6e82e20c2fb4bf6c50d8c1f4e6ac7c16e7

SHA256
0e07ce9ea5a90ed7711fdd893db0e012c8341dfd5c54f622873ebcf1e1b9c306

SHA512
43eb0290c6335c5c5272b1cb9bef14cf516befab1392f9ba343f649873db25d6fa3632b3c73a21bb3a6716f64a629132ecb5d9d38b19845d0d8eb71085582bf1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
ab831f25426c5a37b2127b9593ddb41c

SHA1
aea42154663de38f8ed06ac0149a8bc15eaa67fc

SHA256
96b9761ef11cf89f3a0125979b52fd2e131e8ee5024e2dc15f615a26ee29f36d

SHA512
d5ab6e21eda33f0dc692fa354a4ee5abf295446adf68409716214e89b069c7d52b42acd3d0d7ef856bed9df1e6d233b2451aff5caa6bda096f97a728eeb37ee7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
85df6b0c9fd17a6182fb4907024a4710

SHA1
9e1fa0fd52a4e48570daab9d07e893afe87872f5

SHA256
650acf20d9d14a057aa8c29d35d05eae080a9e436368d2a78a17dbd045860c2c

SHA512
1b1b4aaed067c69bed79df26039a149610e7448f8399167d877c8768d6a6e1b96ca1b993e50d021509ea71afc8dbe225406a71f2e947ce6ba8f6d351781670ed

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
7e1b7798709f4f2b71b5d5c97b5d926d

SHA1
2c1c535d309708e01e276c6f36c6d1d2f9c12e70

SHA256
902a088b65ddc3b98522dab75be8a933fca37fff28366a7fed8a70b635a510a2

SHA512
8cf28566ad3c698c78978c45f39b640a07d9b0a893ea36dc58fe87fffb313dc87dfc8f992c8eab34e0c100d0a559dea02ab3b81aca35d79d00192ca5cb3f8354

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
837fd98fbb1b9beeca8863fc2772b660

SHA1
baaee6f34376f80693c448ee0cccca9c9ec16033

SHA256
7675d555e04a0b4bb35861cc1dcea04e6aa80267aa0ea421ddefe30d45cff44f

SHA512
11cdf209e40887f18c221cbbb86f50462fbeaf54315b986a4fcd1ae272ad4c72f00df0c3be92fe814879c078700a11f10769e4563de04d3d05fb862b6132115e

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
2d075e4be9e93a93169625a674513be0

SHA1
4d00218e067be5a6345b2b4e47ffb5586cbf8c45

SHA256
25dbeef08f038c9cfec26195ebe2a762d0f5bb0625d53e8dfa7283ead9e71aa2

SHA512
ac2681c303f9145749c902ca36a1f2b6d299b591cd68970d33a883a43d79d9bac5d881c6e84b18117bcf4510cf20f95a9a3a708430155a99bb9efab8d973dfb0

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/416-1-0x0000000003D90000-0x0000000004194000-memory.dmp

Filesize
4.0MB

Download
memory/416-2-0x00000000041A0000-0x0000000004A8C000-memory.dmp

Filesize
8.9MB

Download
memory/688-64-0x0000000003AF0000-0x0000000003EF1000-memory.dmp

Filesize
4.0MB

Download
memory/956-15-0x00000000050F0000-0x0000000005112000-memory.dmp

Filesize
136KB

Download
memory/956-49-0x00000000075E0000-0x00000000075F1000-memory.dmp

Filesize
68KB

Download
memory/956-17-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/956-14-0x0000000005240000-0x000000000586A000-memory.dmp

Filesize
6.2MB

Download
memory/956-26-0x0000000005A90000-0x0000000005DE7000-memory.dmp

Filesize
3.3MB

Download
memory/956-27-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

Filesize
120KB

Download
memory/956-28-0x0000000005FF0000-0x000000000603C000-memory.dmp

Filesize
304KB

Download
memory/956-29-0x0000000006560000-0x00000000065A6000-memory.dmp

Filesize
280KB

Download
memory/956-30-0x000000007F9C0000-0x000000007F9D0000-memory.dmp

Filesize
64KB

Download
memory/956-32-0x0000000070B00000-0x0000000070B4C000-memory.dmp

Filesize
304KB

Download
memory/956-31-0x00000000073E0000-0x0000000007414000-memory.dmp

Filesize
208KB

Download
memory/956-33-0x0000000070C80000-0x0000000070FD7000-memory.dmp

Filesize
3.3MB

Download
memory/956-44-0x0000000007440000-0x00000000074E4000-memory.dmp

Filesize
656KB

Download
memory/956-43-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/956-42-0x0000000007420000-0x000000000743E000-memory.dmp

Filesize
120KB

Download
memory/956-46-0x0000000007560000-0x000000000757A000-memory.dmp

Filesize
104KB

Download
memory/956-45-0x0000000007BB0000-0x000000000822A000-memory.dmp

Filesize
6.5MB

Download
memory/956-47-0x00000000075A0000-0x00000000075AA000-memory.dmp

Filesize
40KB

Download
memory/956-48-0x0000000007660000-0x00000000076F6000-memory.dmp

Filesize
600KB

Download
memory/956-16-0x0000000005190000-0x00000000051F6000-memory.dmp

Filesize
408KB

Download
memory/956-50-0x0000000007610000-0x000000000761E000-memory.dmp

Filesize
56KB

Download
memory/956-51-0x0000000007620000-0x0000000007635000-memory.dmp

Filesize
84KB

Download
memory/956-52-0x0000000007720000-0x000000000773A000-memory.dmp

Filesize
104KB

Download
memory/956-53-0x0000000007710000-0x0000000007718000-memory.dmp

Filesize
32KB

Download
memory/956-56-0x0000000074890000-0x0000000075041000-memory.dmp

Filesize
7.7MB

Download
memory/956-13-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/956-11-0x0000000074890000-0x0000000075041000-memory.dmp

Filesize
7.7MB

Download
memory/956-12-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/956-10-0x0000000002B30000-0x0000000002B66000-memory.dmp

Filesize
216KB

Download
memory/1532-282-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2056-284-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2056-288-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2056-294-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2112-158-0x0000000074890000-0x0000000075041000-memory.dmp

Filesize
7.7MB

Download
memory/2112-156-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2112-147-0x0000000070D80000-0x00000000710D7000-memory.dmp

Filesize
3.3MB

Download
memory/2112-146-0x0000000070B70000-0x0000000070BBC000-memory.dmp

Filesize
304KB

Download
memory/2112-133-0x0000000074890000-0x0000000075041000-memory.dmp

Filesize
7.7MB

Download
memory/2112-135-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2112-134-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/3140-177-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-179-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-274-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-273-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-272-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-285-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-305-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-303-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-287-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-301-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-299-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-297-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-295-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-293-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-291-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-289-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-205-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-283-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-178-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3140-175-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3264-145-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3264-68-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3264-69-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3264-70-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3264-72-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3264-71-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3264-161-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3284-87-0x0000000070B70000-0x0000000070BBC000-memory.dmp

Filesize
304KB

Download
memory/3284-75-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/3284-85-0x0000000006B70000-0x0000000006BBC000-memory.dmp

Filesize
304KB

Download
memory/3284-73-0x0000000074890000-0x0000000075041000-memory.dmp

Filesize
7.7MB

Download
memory/3284-76-0x00000000060B0000-0x0000000006407000-memory.dmp

Filesize
3.3MB

Download
memory/3284-98-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/3284-86-0x000000007F290000-0x000000007F2A0000-memory.dmp

Filesize
64KB

Download
memory/3284-74-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/3284-97-0x0000000007800000-0x00000000078A4000-memory.dmp

Filesize
656KB

Download
memory/3284-88-0x0000000070DC0000-0x0000000071117000-memory.dmp

Filesize
3.3MB

Download
memory/3284-103-0x0000000074890000-0x0000000075041000-memory.dmp

Filesize
7.7MB

Download
memory/3284-100-0x0000000007B90000-0x0000000007BA5000-memory.dmp

Filesize
84KB

Download
memory/3284-99-0x0000000007B40000-0x0000000007B51000-memory.dmp

Filesize
68KB

Download
memory/3512-118-0x000000007F800000-0x000000007F810000-memory.dmp

Filesize
64KB

Download
memory/3512-105-0x0000000074890000-0x0000000075041000-memory.dmp

Filesize
7.7MB

Download
memory/3512-106-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/3512-107-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/3512-116-0x0000000005AB0000-0x0000000005E07000-memory.dmp

Filesize
3.3MB

Download
memory/3512-119-0x0000000070B70000-0x0000000070BBC000-memory.dmp

Filesize
304KB

Download
memory/3512-120-0x0000000070D80000-0x00000000710D7000-memory.dmp

Filesize
3.3MB

Download
memory/3512-132-0x0000000074890000-0x0000000075041000-memory.dmp

Filesize
7.7MB

Download
memory/3512-129-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/3512-130-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4588-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4588-5-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4588-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4588-7-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4588-9-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4588-6-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4588-8-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download