glupteba | f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080

Analysis

max time kernel
150s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 14:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Size

4.2MB
MD5

da51e953e46267c1c827280b45abe6fe
SHA1

77cbc46b84da88a8dbaf41aaca7dfaae0f03cc12
SHA256

f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080
SHA512

2be393cac0569977808cea0f1d33d210218c2aaea39c9e118375e7d9909a9375217a27ecceeed95c452cc69ccd02ff2d53fc9321e6c8a20f17d991119452bb12
SSDEEP

98304:PHUv657qgpFkyPwi+mbANtH/q59RA4PaMEp3P6wQjbKVpC:vUIpFNPwi0tHCfRZaiwIbEpC

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 18 IoCs

resource	yara_rule
behavioral1/memory/3512-2-0x0000000003E60000-0x000000000474B000-memory.dmp	family_glupteba
behavioral1/memory/3512-3-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3512-78-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3512-104-0x0000000003E60000-0x000000000474B000-memory.dmp	family_glupteba
behavioral1/memory/3100-131-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3824-157-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3824-213-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3824-215-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3824-217-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3824-219-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3824-221-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3824-223-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3824-225-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3824-227-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3824-229-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3824-231-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3824-233-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral1/memory/3824-235-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1696	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
3824	csrss.exe
1012	injector.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
File created	C:\Windows\rss\csrss.exe	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3168	schtasks.exe
4012	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3508	powershell.exe
3508	powershell.exe
3512	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
3512	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
3808	powershell.exe
3808	powershell.exe
3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
1012	powershell.exe
1012	powershell.exe
1540	powershell.exe
1540	powershell.exe
3464	powershell.exe
3464	powershell.exe
4412	powershell.exe
4412	powershell.exe
1720	powershell.exe
1720	powershell.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
3824	csrss.exe
3824	csrss.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
3824	csrss.exe
3824	csrss.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe
1012	injector.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	3512	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Token: SeImpersonatePrivilege	3512	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeSystemEnvironmentPrivilege	3824	csrss.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 3508	3512	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	88
PID 3512 wrote to memory of 3508	3512	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	88
PID 3512 wrote to memory of 3508	3512	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	88
PID 3100 wrote to memory of 3808	3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	93
PID 3100 wrote to memory of 3808	3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	93
PID 3100 wrote to memory of 3808	3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	93
PID 3100 wrote to memory of 4416	3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	95
PID 3100 wrote to memory of 4416	3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	95
PID 4416 wrote to memory of 1696	4416	cmd.exe	97
PID 4416 wrote to memory of 1696	4416	cmd.exe	97
PID 3100 wrote to memory of 1012	3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	98
PID 3100 wrote to memory of 1012	3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	98
PID 3100 wrote to memory of 1012	3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	98
PID 3100 wrote to memory of 1540	3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	100
PID 3100 wrote to memory of 1540	3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	100
PID 3100 wrote to memory of 1540	3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	100
PID 3100 wrote to memory of 3824	3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	102
PID 3100 wrote to memory of 3824	3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	102
PID 3100 wrote to memory of 3824	3100	f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe	102
PID 3824 wrote to memory of 3464	3824	csrss.exe	103
PID 3824 wrote to memory of 3464	3824	csrss.exe	103
PID 3824 wrote to memory of 3464	3824	csrss.exe	103
PID 3824 wrote to memory of 4412	3824	csrss.exe	109
PID 3824 wrote to memory of 4412	3824	csrss.exe	109
PID 3824 wrote to memory of 4412	3824	csrss.exe	109
PID 3824 wrote to memory of 1720	3824	csrss.exe	112
PID 3824 wrote to memory of 1720	3824	csrss.exe	112
PID 3824 wrote to memory of 1720	3824	csrss.exe	112
PID 3824 wrote to memory of 1012	3824	csrss.exe	114
PID 3824 wrote to memory of 1012	3824	csrss.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
"C:\Users\Admin\AppData\Local\Temp\f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3508
- C:\Users\Admin\AppData\Local\Temp\f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe
  "C:\Users\Admin\AppData\Local\Temp\f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1696
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3464
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4012
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3856
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1012
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzlthhto.q1a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
70238a0b9d616c6f4aebd9de01bd1b13

SHA1
237725b6f591fa4de7655eaa93ef1d928b911a27

SHA256
c52de02e4f91eb40e363bc449c72c58277bffd65bf40741218d88ab40f2dc765

SHA512
f9e65a558ab83eb3d388129b73fe359dfa5f71b6b8bf5b6cc04e5f5c84ff0262438740ca7415676b99d48e8f7bee9d50d1095ff8ae04d6bc8061d2d8908edf7e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
1570c3053459dbcd9fff09ec1ecabea4

SHA1
6024375417639ef8e548e75414a799c1290e8dee

SHA256
3664c9b94f4cdf63941e7af7ebf593f0db23dc04c5852ea898adf3f890dcbf48

SHA512
4e778fd9b86fcf0c640430fa820d86a531c3f2645963095a06d2d2ed75ccaef41cde150d50b8ac433d093ff8e9318cbce77dcd280f47b01d978fa65e4ce2808b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
cbad59a22b93fb129fbb748e3442f307

SHA1
2dfc1451db53d94af5df6fdb3bfa9889198d2a1a

SHA256
2c7b2ed6ceadf563b1d40c0f819d08823a2536e64453ff681572050b2c6d64bd

SHA512
fe4686f50b173135fc5278f27dac750505824558fc5a5d90556d177c00a3c98d993e2f09a875009294e969713884b5f22c01969230816d7c52b40af3a98eb9ee

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
9d593e747b2be75874410096ec8ba296

SHA1
f6bb32cf43fd68b3bb38a23b3f68aa10caa0275b

SHA256
de404e2f9aeeaff7682ca1ff707b77ca7c3274aede9cd12c4b8f1a3f45c0d1b8

SHA512
358edc0b2a6bfb4f2a474911957e092903aff43b362e719f49620ccce6512842edbfb9d3941eb256b6a8e7bf41e6fe1bd3a797ce4d28ed8ffdc847c9ded6e487

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
d79f2997f7338219d79cd772a2349288

SHA1
ba3fec66f7c99e0e8a5c92ae3ec25c4b0ec60b50

SHA256
23da61d3d7c6f60b4d321d0c86300f47aba6067f6e7c40e457aca1551850928b

SHA512
d4f38ad8e2d1c2f01b86baf5883e5281e49baf4969901adf0ca178994a0b15774f154774274661a0d57c726b1fb1bbf332e65580e40e1805a78533ccb2d8856e

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
da51e953e46267c1c827280b45abe6fe

SHA1
77cbc46b84da88a8dbaf41aaca7dfaae0f03cc12

SHA256
f2eca1b504ee269508ce11165981431de9e61179dc138a168a4451753fb2b080

SHA512
2be393cac0569977808cea0f1d33d210218c2aaea39c9e118375e7d9909a9375217a27ecceeed95c452cc69ccd02ff2d53fc9321e6c8a20f17d991119452bb12

Download Submit
memory/1012-92-0x0000000070730000-0x000000007077C000-memory.dmp

Filesize
304KB

Download
memory/1012-93-0x0000000070EB0000-0x0000000071204000-memory.dmp

Filesize
3.3MB

Download
memory/1540-116-0x0000000070730000-0x000000007077C000-memory.dmp

Filesize
304KB

Download
memory/1540-117-0x0000000070EB0000-0x0000000071204000-memory.dmp

Filesize
3.3MB

Download
memory/1720-196-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/1720-197-0x0000000070DE0000-0x0000000071134000-memory.dmp

Filesize
3.3MB

Download
memory/3100-131-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3464-145-0x0000000070EB0000-0x0000000071204000-memory.dmp

Filesize
3.3MB

Download
memory/3464-144-0x0000000070730000-0x000000007077C000-memory.dmp

Filesize
304KB

Download
memory/3508-22-0x00000000068E0000-0x000000000692C000-memory.dmp

Filesize
304KB

Download
memory/3508-25-0x00000000082E0000-0x000000000895A000-memory.dmp

Filesize
6.5MB

Download
memory/3508-29-0x0000000070730000-0x000000007077C000-memory.dmp

Filesize
304KB

Download
memory/3508-30-0x0000000070EB0000-0x0000000071204000-memory.dmp

Filesize
3.3MB

Download
memory/3508-40-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/3508-41-0x0000000007E00000-0x0000000007E1E000-memory.dmp

Filesize
120KB

Download
memory/3508-42-0x0000000007E20000-0x0000000007EC3000-memory.dmp

Filesize
652KB

Download
memory/3508-43-0x0000000007F10000-0x0000000007F1A000-memory.dmp

Filesize
40KB

Download
memory/3508-44-0x0000000007FD0000-0x0000000008066000-memory.dmp

Filesize
600KB

Download
memory/3508-45-0x0000000007F30000-0x0000000007F41000-memory.dmp

Filesize
68KB

Download
memory/3508-46-0x0000000007F70000-0x0000000007F7E000-memory.dmp

Filesize
56KB

Download
memory/3508-47-0x0000000007F80000-0x0000000007F94000-memory.dmp

Filesize
80KB

Download
memory/3508-48-0x0000000008070000-0x000000000808A000-memory.dmp

Filesize
104KB

Download
memory/3508-49-0x0000000007FB0000-0x0000000007FB8000-memory.dmp

Filesize
32KB

Download
memory/3508-52-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/3508-28-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/3508-26-0x0000000007B80000-0x0000000007B9A000-memory.dmp

Filesize
104KB

Download
memory/3508-27-0x0000000007DC0000-0x0000000007DF2000-memory.dmp

Filesize
200KB

Download
memory/3508-24-0x0000000007BE0000-0x0000000007C56000-memory.dmp

Filesize
472KB

Download
memory/3508-6-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/3508-23-0x0000000006D00000-0x0000000006D44000-memory.dmp

Filesize
272KB

Download
memory/3508-5-0x0000000005280000-0x00000000052B6000-memory.dmp

Filesize
216KB

Download
memory/3508-21-0x0000000006850000-0x000000000686E000-memory.dmp

Filesize
120KB

Download
memory/3508-20-0x0000000006270000-0x00000000065C4000-memory.dmp

Filesize
3.3MB

Download
memory/3508-10-0x0000000006200000-0x0000000006266000-memory.dmp

Filesize
408KB

Download
memory/3508-9-0x00000000060E0000-0x0000000006146000-memory.dmp

Filesize
408KB

Download
memory/3508-4-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/3508-7-0x0000000005A40000-0x0000000006068000-memory.dmp

Filesize
6.2MB

Download
memory/3508-8-0x0000000005890000-0x00000000058B2000-memory.dmp

Filesize
136KB

Download
memory/3512-103-0x00000000020C0000-0x00000000024BF000-memory.dmp

Filesize
4.0MB

Download
memory/3512-104-0x0000000003E60000-0x000000000474B000-memory.dmp

Filesize
8.9MB

Download
memory/3512-78-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3512-1-0x00000000020C0000-0x00000000024BF000-memory.dmp

Filesize
4.0MB

Download
memory/3512-3-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3512-2-0x0000000003E60000-0x000000000474B000-memory.dmp

Filesize
8.9MB

Download
memory/3808-76-0x0000000007C90000-0x0000000007CA1000-memory.dmp

Filesize
68KB

Download
memory/3808-75-0x0000000007970000-0x0000000007A13000-memory.dmp

Filesize
652KB

Download
memory/3808-60-0x0000000006120000-0x0000000006474000-memory.dmp

Filesize
3.3MB

Download
memory/3808-77-0x0000000007CE0000-0x0000000007CF4000-memory.dmp

Filesize
80KB

Download
memory/3808-64-0x0000000070730000-0x000000007077C000-memory.dmp

Filesize
304KB

Download
memory/3808-65-0x0000000070ED0000-0x0000000071224000-memory.dmp

Filesize
3.3MB

Download
memory/3824-223-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3824-157-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3824-235-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3824-233-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3824-231-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3824-229-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3824-227-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3824-225-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3824-213-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3824-215-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3824-217-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3824-219-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/3824-221-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/4412-182-0x0000000007590000-0x0000000007633000-memory.dmp

Filesize
652KB

Download
memory/4412-159-0x0000000005D70000-0x00000000060C4000-memory.dmp

Filesize
3.3MB

Download
memory/4412-170-0x00000000063C0000-0x000000000640C000-memory.dmp

Filesize
304KB

Download
memory/4412-172-0x0000000070DE0000-0x0000000071134000-memory.dmp

Filesize
3.3MB

Download
memory/4412-171-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/4412-184-0x00000000056D0000-0x00000000056E4000-memory.dmp

Filesize
80KB

Download
memory/4412-183-0x0000000007920000-0x0000000007931000-memory.dmp

Filesize
68KB

Download