Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/05/2024, 19:50
Static task
static1
Behavioral task
behavioral1
Sample
c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe
Resource
win10v2004-20240426-en
General
-
Target
c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe
-
Size
4.1MB
-
MD5
9ea24ef45f8d7e9fdd9a67b36648c801
-
SHA1
262a55dfa36ef8cd40a0c5d05afc6eb8b84fc369
-
SHA256
c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61
-
SHA512
e155784075b1553bd6ec62fdb7be3e38d784cf60f236b8a3e449b0c637b8ee5efba59aa5d22a0532de8ea1d94dd6e216868a045aa0cde6baa0f53e217d575d83
-
SSDEEP
98304:lwBco1salv4p8AdbboIKOJLJ1nO5Zld79mTpD:lwqoWyv4yANjKQa7oB
Malware Config
Signatures
-
Glupteba payload 18 IoCs
resource yara_rule behavioral2/memory/4792-2-0x0000000005020000-0x000000000590B000-memory.dmp family_glupteba behavioral2/memory/4792-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4792-24-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/4792-52-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4792-53-0x0000000005020000-0x000000000590B000-memory.dmp family_glupteba behavioral2/memory/4792-50-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/3764-64-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/3764-126-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/768-200-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/768-212-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/768-216-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/768-218-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/768-220-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/768-222-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/768-224-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/768-226-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/768-228-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/768-230-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4280 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 768 csrss.exe 2448 injector.exe 4480 windefender.exe 2168 windefender.exe -
resource yara_rule behavioral2/files/0x000200000002aa3a-208.dat upx behavioral2/memory/4480-210-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2168-213-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4480-215-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2168-217-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2168-221-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3292 sc.exe -
pid Process 1828 powershell.exe 4960 powershell.exe 3976 powershell.exe 3468 powershell.exe 1932 powershell.exe 3596 powershell.exe 236 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3052 schtasks.exe 4132 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3468 powershell.exe 3468 powershell.exe 4792 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 4792 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 1932 powershell.exe 1932 powershell.exe 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 3596 powershell.exe 3596 powershell.exe 236 powershell.exe 236 powershell.exe 1828 powershell.exe 1828 powershell.exe 4960 powershell.exe 4960 powershell.exe 3976 powershell.exe 3976 powershell.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 768 csrss.exe 768 csrss.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 768 csrss.exe 768 csrss.exe 2448 injector.exe 2448 injector.exe 768 csrss.exe 768 csrss.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe 2448 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 3468 powershell.exe Token: SeDebugPrivilege 4792 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Token: SeImpersonatePrivilege 4792 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeDebugPrivilege 3596 powershell.exe Token: SeDebugPrivilege 236 powershell.exe Token: SeDebugPrivilege 1828 powershell.exe Token: SeDebugPrivilege 4960 powershell.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeSystemEnvironmentPrivilege 768 csrss.exe Token: SeSecurityPrivilege 3292 sc.exe Token: SeSecurityPrivilege 3292 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4792 wrote to memory of 3468 4792 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 81 PID 4792 wrote to memory of 3468 4792 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 81 PID 4792 wrote to memory of 3468 4792 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 81 PID 3764 wrote to memory of 1932 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 86 PID 3764 wrote to memory of 1932 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 86 PID 3764 wrote to memory of 1932 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 86 PID 3764 wrote to memory of 3808 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 88 PID 3764 wrote to memory of 3808 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 88 PID 3808 wrote to memory of 4280 3808 cmd.exe 90 PID 3808 wrote to memory of 4280 3808 cmd.exe 90 PID 3764 wrote to memory of 3596 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 91 PID 3764 wrote to memory of 3596 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 91 PID 3764 wrote to memory of 3596 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 91 PID 3764 wrote to memory of 236 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 93 PID 3764 wrote to memory of 236 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 93 PID 3764 wrote to memory of 236 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 93 PID 3764 wrote to memory of 768 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 95 PID 3764 wrote to memory of 768 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 95 PID 3764 wrote to memory of 768 3764 c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe 95 PID 768 wrote to memory of 1828 768 csrss.exe 96 PID 768 wrote to memory of 1828 768 csrss.exe 96 PID 768 wrote to memory of 1828 768 csrss.exe 96 PID 768 wrote to memory of 4960 768 csrss.exe 102 PID 768 wrote to memory of 4960 768 csrss.exe 102 PID 768 wrote to memory of 4960 768 csrss.exe 102 PID 768 wrote to memory of 3976 768 csrss.exe 104 PID 768 wrote to memory of 3976 768 csrss.exe 104 PID 768 wrote to memory of 3976 768 csrss.exe 104 PID 768 wrote to memory of 2448 768 csrss.exe 106 PID 768 wrote to memory of 2448 768 csrss.exe 106 PID 4480 wrote to memory of 1284 4480 windefender.exe 112 PID 4480 wrote to memory of 1284 4480 windefender.exe 112 PID 4480 wrote to memory of 1284 4480 windefender.exe 112 PID 1284 wrote to memory of 3292 1284 cmd.exe 113 PID 1284 wrote to memory of 3292 1284 cmd.exe 113 PID 1284 wrote to memory of 3292 1284 cmd.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe"C:\Users\Admin\AppData\Local\Temp\c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
-
C:\Users\Admin\AppData\Local\Temp\c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe"C:\Users\Admin\AppData\Local\Temp\c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4280
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3052
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:964
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2448
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4132
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2168
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5cabc80e651c8f88917cdcada1f0cd29d
SHA10fae92d1cd622a23bb3f5f2c5ea861acdbe03a6f
SHA256de289884f877f5c50676d6c38f9ceb0084136c5ce85affc2862559a5391dc1ef
SHA5120652a21e603697f1df622b8c41ef15ad5b323c28ea4a2b27e68ea871b7d61dcf7be89fd7010dba638003d64e53bb7b193b70bb69943b24a054ecb110a2bfa7b3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD592e76221ddb58d61ea4273733faa2266
SHA148b3e8b4e5e696f7b48bd5d76739c03ebeb8e4e3
SHA256e375a1d763078d553851601e45d8bda57bb8bc330c69db0ecffb36eb110044f2
SHA5126087ce0fbc435577d8708b5b19f10bf3a0063fff43256329b9df814d6986ff9c691a71c0303a921cb5dd033c262268b44f44adc93ce497f33efd0e72c44d22bb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD538dbbea96a1a0456d6c2bcc10d561abf
SHA1eee17d7c76b5f520e38ee1520a150f3fe7a3dfd9
SHA256fe17cd6fabeb94f9105974dda67d1d13694108614a8fb6e0de192578a6b136e2
SHA512cd508a247a2df02d54d6d33e0a87f5d1ea147791c944c221b0943adf752e5f9049d6a15081aa18359eaff25ed996c31f7a8e4f93bb512951beff755ffb978eec
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5262def0fceb4d235c1cc0a344f16fa5d
SHA1f01a895f6a7f2c6d1d9b0da1d3650cbbd859a669
SHA256bd8274f133f9d51e9f2e82a3d934dad523272abb9c4d59ddf1cb6be842e69cb5
SHA51235cde136c824b9808b0edcc515cbc784bff6db3ae3ac673a462f58ba230d07bb8f517b995f9e533ffcfd09a736941e3c528958ee92ebbb8e2f6c32175dbc6b3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5ea408bae09af19db8ce9f31ed8978581
SHA1e743edb5b32a9466eaec659dbec8689333c4b30d
SHA256d9c4a45aba3d27889a2010ca8dce8fde860844939a5a695d4d6bd46fb27cd89a
SHA5125330aa155c5c307cf5257bcb80d92ace83ea8fddcc2f9d64f71596c3c777dbac6a7d1f6e3f0b479c6c5d7fa11ba0272968e888d375a5a9bec71f75cf40b5f334
-
Filesize
4.1MB
MD59ea24ef45f8d7e9fdd9a67b36648c801
SHA1262a55dfa36ef8cd40a0c5d05afc6eb8b84fc369
SHA256c84536566bd6a86e810f22e48e6079a76e2bac8c3468bad0c5618bd57789ac61
SHA512e155784075b1553bd6ec62fdb7be3e38d784cf60f236b8a3e449b0c637b8ee5efba59aa5d22a0532de8ea1d94dd6e216868a045aa0cde6baa0f53e217d575d83
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec