Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 19:27
Static task
static1
Behavioral task
behavioral1
Sample
dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe
Resource
win10v2004-20240508-en
General
-
Target
dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe
-
Size
4.1MB
-
MD5
1e10e303d8fa2fffe18a9a771aced539
-
SHA1
20339790f812489b837adae6a3481d729543a11b
-
SHA256
dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159
-
SHA512
dd6a74c13e735fe43093cfb1a291f9b5057cf1619531c46b257370077434cd08e5e15dd4f0c1a2198851d0aa6d0dd2552dcc38c6a2bb075a8f17b829bb13cbd2
-
SSDEEP
98304:lwBco1salv4p8AdbboIKOJLJ1nO5Zld79mTpw:lwqoWyv4yANjKQa7oG
Malware Config
Signatures
-
Glupteba payload 19 IoCs
resource yara_rule behavioral1/memory/3880-2-0x00000000050D0000-0x00000000059BB000-memory.dmp family_glupteba behavioral1/memory/3880-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3880-4-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral1/memory/3880-58-0x00000000050D0000-0x00000000059BB000-memory.dmp family_glupteba behavioral1/memory/3880-56-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral1/memory/3880-59-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/1776-83-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral1/memory/1776-137-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral1/memory/1192-141-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral1/memory/1192-215-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral1/memory/1192-228-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral1/memory/1192-233-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral1/memory/1192-236-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral1/memory/1192-239-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral1/memory/1192-242-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral1/memory/1192-245-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral1/memory/1192-248-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral1/memory/1192-251-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral1/memory/1192-254-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3432 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 1192 csrss.exe 640 injector.exe 3184 windefender.exe 1496 windefender.exe -
resource yara_rule behavioral1/files/0x000800000002341e-224.dat upx behavioral1/memory/3184-225-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/1496-229-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/3184-231-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/1496-234-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/1496-240-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rss dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe File created C:\Windows\rss\csrss.exe dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1012 sc.exe -
pid Process 3784 powershell.exe 3584 powershell.exe 3724 powershell.exe 4252 powershell.exe 4940 powershell.exe 4100 powershell.exe 3916 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 692 schtasks.exe 4672 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" windefender.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4252 powershell.exe 4252 powershell.exe 3880 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 3880 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 4940 powershell.exe 4940 powershell.exe 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 4100 powershell.exe 4100 powershell.exe 3916 powershell.exe 3916 powershell.exe 3784 powershell.exe 3784 powershell.exe 3584 powershell.exe 3584 powershell.exe 3724 powershell.exe 3724 powershell.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 1192 csrss.exe 1192 csrss.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 1192 csrss.exe 1192 csrss.exe 640 injector.exe 640 injector.exe 1192 csrss.exe 1192 csrss.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe 640 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4252 powershell.exe Token: SeDebugPrivilege 3880 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Token: SeImpersonatePrivilege 3880 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe Token: SeDebugPrivilege 4940 powershell.exe Token: SeDebugPrivilege 4100 powershell.exe Token: SeDebugPrivilege 3916 powershell.exe Token: SeDebugPrivilege 3784 powershell.exe Token: SeDebugPrivilege 3584 powershell.exe Token: SeDebugPrivilege 3724 powershell.exe Token: SeSystemEnvironmentPrivilege 1192 csrss.exe Token: SeSecurityPrivilege 1012 sc.exe Token: SeSecurityPrivilege 1012 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3880 wrote to memory of 4252 3880 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 89 PID 3880 wrote to memory of 4252 3880 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 89 PID 3880 wrote to memory of 4252 3880 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 89 PID 1776 wrote to memory of 4940 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 94 PID 1776 wrote to memory of 4940 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 94 PID 1776 wrote to memory of 4940 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 94 PID 1776 wrote to memory of 5052 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 97 PID 1776 wrote to memory of 5052 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 97 PID 5052 wrote to memory of 3432 5052 cmd.exe 99 PID 5052 wrote to memory of 3432 5052 cmd.exe 99 PID 1776 wrote to memory of 4100 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 100 PID 1776 wrote to memory of 4100 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 100 PID 1776 wrote to memory of 4100 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 100 PID 1776 wrote to memory of 3916 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 103 PID 1776 wrote to memory of 3916 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 103 PID 1776 wrote to memory of 3916 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 103 PID 1776 wrote to memory of 1192 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 105 PID 1776 wrote to memory of 1192 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 105 PID 1776 wrote to memory of 1192 1776 dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe 105 PID 1192 wrote to memory of 3784 1192 csrss.exe 106 PID 1192 wrote to memory of 3784 1192 csrss.exe 106 PID 1192 wrote to memory of 3784 1192 csrss.exe 106 PID 1192 wrote to memory of 3584 1192 csrss.exe 112 PID 1192 wrote to memory of 3584 1192 csrss.exe 112 PID 1192 wrote to memory of 3584 1192 csrss.exe 112 PID 1192 wrote to memory of 3724 1192 csrss.exe 114 PID 1192 wrote to memory of 3724 1192 csrss.exe 114 PID 1192 wrote to memory of 3724 1192 csrss.exe 114 PID 1192 wrote to memory of 640 1192 csrss.exe 116 PID 1192 wrote to memory of 640 1192 csrss.exe 116 PID 3184 wrote to memory of 5020 3184 windefender.exe 122 PID 3184 wrote to memory of 5020 3184 windefender.exe 122 PID 3184 wrote to memory of 5020 3184 windefender.exe 122 PID 5020 wrote to memory of 1012 5020 cmd.exe 123 PID 5020 wrote to memory of 1012 5020 cmd.exe 123 PID 5020 wrote to memory of 1012 5020 cmd.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe"C:\Users\Admin\AppData\Local\Temp\dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
C:\Users\Admin\AppData\Local\Temp\dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe"C:\Users\Admin\AppData\Local\Temp\dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3432
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:692
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4140
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:640
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4672
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1496
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD50bd2d63332d45efc63b1db8408673df0
SHA17547e77623a1423e4270f5145f09c55070c4a838
SHA256860edc51b6f20c1a1c9e070e55ebf87a3ab0c5313f69b7e7f340e85009ca8687
SHA5126cb91820939fef693af0a0a5af9dfb06b1488c2e3b1305a9b37451d4a5d13e00a14d9d782dca6a4af6224dc664f0bdad9cc05967e6d52f500aa1b8531a56ece1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5858353806915d0c5c8cf6d9f3c96e61a
SHA121aadd59bcf74b1f594d1fcc20d4dfbbc7c74103
SHA256bf9090b602e9424f2bbbc90db98c42c45395087cb60e924bef198a96385fd2b9
SHA512ef3f9ed42ccadd18b1a4f621a8b9d1b7e3291deb4a4c4e9ae56126cac200326c93cf34786ea8a167853920b8afa6b6af64cc973a95412686756faed024e7352b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5352577d324be8cc869ac391f1e1773d4
SHA1d80e3a7d3aa3345a46d8b7f934684bdcc94ab800
SHA256e1f9272ab4653f4809aae1b1a0b918982ac4072f2fa4ec5204f432b8b4ad7cb9
SHA512bd940b4e88dbdad6bc63790635ab0d111cb9beee1ab7dc6ce202241bb3fd7057e4d9add72c08e92ecc4fb93130c2de76337680b664a25af4f4d7c75973c9da2d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5ea390c866530259e7b435ee2e9e1b0f9
SHA123e99192f7957004bd516f0f30b612915de57cd3
SHA2561b83330c324a8b50873be9bcf0ce37c5209723a23ebc33dccc221fb4d77825a8
SHA512a40b203f0573e631cc253df357d486d66711114b9df3a9301e02b27fbb44d806d7d91e1a7eb88775c28029256b4fa81e5862f6b6a419d86ca9511b1d7dd8ad83
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5caf35228cc350d96e97a49696c8e3546
SHA1be19e7fee7c75f12fe008056eb4c970fb61a9615
SHA2561b4020e6d9500d15d2e2cb82046c180f7bb42ed24d42a6378e21a7df7e2a0454
SHA512899d78512209f0908ae3ff199f9e6b1789b0cbee4e7e4c9347905c2769ecabb9ea501e481752194f86b88f3bde86d0efb0023056b682427e298debb11e0b7f02
-
Filesize
4.1MB
MD51e10e303d8fa2fffe18a9a771aced539
SHA120339790f812489b837adae6a3481d729543a11b
SHA256dab6d099876b7025dba8aaf1098f47e2cadedb47f5136167c9026cf06defa159
SHA512dd6a74c13e735fe43093cfb1a291f9b5057cf1619531c46b257370077434cd08e5e15dd4f0c1a2198851d0aa6d0dd2552dcc38c6a2bb075a8f17b829bb13cbd2
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec