Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe
Resource
win10v2004-20240508-en
General
-
Target
01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe
-
Size
4.1MB
-
MD5
a777e580115331f281253a66b4b2693a
-
SHA1
ed39eb27efe889bfbb506b32efaad08c5c31aa6e
-
SHA256
01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd
-
SHA512
22b0735b5f337314cd143bc03b1371bc384581069fd34829cad15ae4dfcb58ec6e0425514ed32bb73d9132e9733ba79d6f489557ffcdcd290b0d53729fa4f762
-
SSDEEP
98304:3pLl5dh/cY//0ytMliSDJIrO0tWgVy355J08nZmlsC/:5LlNLHtGNcOLFp5JFwlsC/
Malware Config
Signatures
-
Glupteba payload 19 IoCs
resource yara_rule behavioral1/memory/3592-2-0x0000000004F50000-0x000000000583B000-memory.dmp family_glupteba behavioral1/memory/3592-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3592-9-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/3592-58-0x0000000004F50000-0x000000000583B000-memory.dmp family_glupteba behavioral1/memory/3592-60-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3592-59-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/1668-84-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/1668-140-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/2760-164-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/2760-222-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/2760-233-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/2760-236-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/2760-242-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/2760-245-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/2760-249-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/2760-252-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/2760-256-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/2760-261-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/2760-265-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2132 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 2760 csrss.exe 632 injector.exe 3244 windefender.exe 4588 windefender.exe -
resource yara_rule behavioral1/files/0x0008000000023431-226.dat upx behavioral1/memory/3244-228-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/3244-232-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4588-237-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4588-244-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rss 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe File created C:\Windows\rss\csrss.exe 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1860 sc.exe -
pid Process 2028 powershell.exe 3604 powershell.exe 1848 powershell.exe 3136 powershell.exe 2704 powershell.exe 4664 powershell.exe 3920 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4068 schtasks.exe 1516 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" windefender.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3136 powershell.exe 3136 powershell.exe 3592 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 3592 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 2704 powershell.exe 2704 powershell.exe 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 4664 powershell.exe 4664 powershell.exe 3920 powershell.exe 3920 powershell.exe 2028 powershell.exe 2028 powershell.exe 3604 powershell.exe 3604 powershell.exe 1848 powershell.exe 1848 powershell.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 2760 csrss.exe 2760 csrss.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 2760 csrss.exe 2760 csrss.exe 632 injector.exe 632 injector.exe 2760 csrss.exe 2760 csrss.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe 632 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 3136 powershell.exe Token: SeDebugPrivilege 3592 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Token: SeImpersonatePrivilege 3592 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 4664 powershell.exe Token: SeDebugPrivilege 3920 powershell.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 3604 powershell.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeSystemEnvironmentPrivilege 2760 csrss.exe Token: SeSecurityPrivilege 1860 sc.exe Token: SeSecurityPrivilege 1860 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3592 wrote to memory of 3136 3592 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 89 PID 3592 wrote to memory of 3136 3592 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 89 PID 3592 wrote to memory of 3136 3592 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 89 PID 1668 wrote to memory of 2704 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 94 PID 1668 wrote to memory of 2704 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 94 PID 1668 wrote to memory of 2704 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 94 PID 1668 wrote to memory of 4644 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 96 PID 1668 wrote to memory of 4644 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 96 PID 4644 wrote to memory of 2132 4644 cmd.exe 98 PID 4644 wrote to memory of 2132 4644 cmd.exe 98 PID 1668 wrote to memory of 4664 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 100 PID 1668 wrote to memory of 4664 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 100 PID 1668 wrote to memory of 4664 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 100 PID 1668 wrote to memory of 3920 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 102 PID 1668 wrote to memory of 3920 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 102 PID 1668 wrote to memory of 3920 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 102 PID 1668 wrote to memory of 2760 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 104 PID 1668 wrote to memory of 2760 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 104 PID 1668 wrote to memory of 2760 1668 01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe 104 PID 2760 wrote to memory of 2028 2760 csrss.exe 106 PID 2760 wrote to memory of 2028 2760 csrss.exe 106 PID 2760 wrote to memory of 2028 2760 csrss.exe 106 PID 2760 wrote to memory of 3604 2760 csrss.exe 111 PID 2760 wrote to memory of 3604 2760 csrss.exe 111 PID 2760 wrote to memory of 3604 2760 csrss.exe 111 PID 2760 wrote to memory of 1848 2760 csrss.exe 114 PID 2760 wrote to memory of 1848 2760 csrss.exe 114 PID 2760 wrote to memory of 1848 2760 csrss.exe 114 PID 2760 wrote to memory of 632 2760 csrss.exe 116 PID 2760 wrote to memory of 632 2760 csrss.exe 116 PID 3244 wrote to memory of 3280 3244 windefender.exe 122 PID 3244 wrote to memory of 3280 3244 windefender.exe 122 PID 3244 wrote to memory of 3280 3244 windefender.exe 122 PID 3280 wrote to memory of 1860 3280 cmd.exe 123 PID 3280 wrote to memory of 1860 3280 cmd.exe 123 PID 3280 wrote to memory of 1860 3280 cmd.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe"C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136
-
-
C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe"C:\Users\Admin\AppData\Local\Temp\01fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2132
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4068
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2540
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:632
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1516
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4588
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5767223bf100608b0b8ded436f17178f1
SHA1a5c56fb7f5a1b6b4b1d4a2f1cd1786fe83a92b58
SHA25633989b148155dacea6f5f0af89abf484783154cffff203cf844e75eb61473813
SHA51251975869ca1f310fc2c118432f6b07739f19f609889572f9e1aaf4501bd41cfdec9fa09f4ffba8d92439aad588b9821db2796f4b7605bdb6300a559303963f4f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56ad36a13955a7fa0ceef05515ab71d9a
SHA1f58155b6925ce0a3a3fe2e7ce1afb8eb00b2b31a
SHA256c86312ab2839942b319c49b2c9663de285a8035d953a1206410ad44525d6c95c
SHA5122b863df0fb088ef09a3d7da3e86d57ac2a85f3224286c219de33e5b2117b40b5703bc12dbdec5af5b7d6b26b36290d91de25fb55dd066a6cfb9381442d9afef8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a18be15ee385e267e157d47abbdbe765
SHA19f77d26907d3801a86d30a1a34e58de00be58abe
SHA25605ebb2f687f94893c42683a745752e7cd40e157f3c45b95b067076d6e343401b
SHA512d0ca2ff16ae4ac256f7083627f5975a25bed2bd7ad4d949a32198af22cd2b0a21a33962c353f995eb34250ac5616177ec0c8c90a45dc30f160a69fce8cb890cb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD59c5bc98f9c02b154d38a2d41ed1575a6
SHA1c0a32875ba787c85edafdc5135055e5b88483d66
SHA256fa291c81201645ec6ea27f85d39146866e2c1f4a35577d72c8f824f98002bfb7
SHA5128180b714ce713578253840cacb9e1cbd63fe0c16128956c65d51c4ac87fe774213f605100a315035c48e8b4d3b0feb8d0178288af5078ea8aa3eb9ce4f48cfa6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c7f201b4bdf240b17f8fcaa8c917a003
SHA1a9dd09bacbb17443628c84b8df7c6e9ad7b3d70b
SHA256862f2c3773328bd791c1cb769b50ad5b70b7b31c9d908928f604dc919017a38e
SHA51289f129e3703fa2961518f9094aae17181af0d757f7e9d2ea7519c5f1200c13bffdb1a32cfe5b8bcce8dff69ffc23e49e0b29b94e236963f9b8efc1607e1bc661
-
Filesize
4.1MB
MD5a777e580115331f281253a66b4b2693a
SHA1ed39eb27efe889bfbb506b32efaad08c5c31aa6e
SHA25601fb4c9ee6e97726d796ff60a12396e6678121363a343188d7e58b8997202bbd
SHA51222b0735b5f337314cd143bc03b1371bc384581069fd34829cad15ae4dfcb58ec6e0425514ed32bb73d9132e9733ba79d6f489557ffcdcd290b0d53729fa4f762
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec