glupteba | 9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf

Analysis

max time kernel
90s
max time network
307s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16/05/2024, 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Size

4.1MB
MD5

92dba39b74afa673ceb91de30dab9451
SHA1

870c378e9ebb35c5118a5f0b2f2f80df47661301
SHA256

9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf
SHA512

7bc2381c8268d971c5573bf24d02631624d12603e8dd4037fe80c62bec7c3cd942937d89cded95d45aa9d39dc097a4498a35258c44f387a07b3060289840703c
SSDEEP

98304:cOx+yLAsWcX5ANOp80aGDbz4ZHRnWgYq13pS/Dvn0Yng1:ME1pj8JRnW2pojn0Yg1

Score

10^/10

glupteba dropper evasion execution loader persistence rootkit trojan

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

resource	yara_rule
behavioral2/memory/2456-2-0x00000000049D0000-0x00000000052BB000-memory.dmp	family_glupteba
behavioral2/memory/2456-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2456-151-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/2456-301-0x00000000049D0000-0x00000000052BB000-memory.dmp	family_glupteba
behavioral2/memory/2456-302-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2456-300-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/2632-555-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/2632-1031-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/2716-1137-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/2716-1767-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe = "0"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4668	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
452	injector.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe = "0"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4732	powershell.exe
3832	powershell.exe
2248	powershell.exe
2396	powershell.exe
2896	powershell.exe
4496	powershell.exe
4332	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
840	schtasks.exe
2868	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe
2456	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
2456	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
2248	powershell.exe
2248	powershell.exe
2248	powershell.exe
2396	powershell.exe
2396	powershell.exe
2396	powershell.exe
2896	powershell.exe
2896	powershell.exe
2896	powershell.exe
4496	powershell.exe
4496	powershell.exe
4496	powershell.exe
4332	powershell.exe
4332	powershell.exe
4332	powershell.exe
4732	powershell.exe
4732	powershell.exe
4732	powershell.exe
452	injector.exe
452	injector.exe
452	injector.exe
452	injector.exe
452	injector.exe
452	injector.exe
452	injector.exe
452	injector.exe
2716	csrss.exe
2716	csrss.exe
452	injector.exe
452	injector.exe
452	injector.exe
452	injector.exe
452	injector.exe
452	injector.exe
2716	csrss.exe
2716	csrss.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	2456	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Token: SeImpersonatePrivilege	2456	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeSystemEnvironmentPrivilege	2716	csrss.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 3832	2456	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe	74
PID 2456 wrote to memory of 3832	2456	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe	74
PID 2456 wrote to memory of 3832	2456	9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe	74
PID 2040 wrote to memory of 4668	2040	cmd.exe	83
PID 2040 wrote to memory of 4668	2040	cmd.exe	83
PID 2716 wrote to memory of 4496	2716	csrss.exe	89
PID 2716 wrote to memory of 4496	2716	csrss.exe	89
PID 2716 wrote to memory of 4496	2716	csrss.exe	89
PID 2716 wrote to memory of 4332	2716	csrss.exe	95
PID 2716 wrote to memory of 4332	2716	csrss.exe	95
PID 2716 wrote to memory of 4332	2716	csrss.exe	95
PID 2716 wrote to memory of 4732	2716	csrss.exe	98
PID 2716 wrote to memory of 4732	2716	csrss.exe	98
PID 2716 wrote to memory of 4732	2716	csrss.exe	98
PID 2716 wrote to memory of 452	2716	csrss.exe	100
PID 2716 wrote to memory of 452	2716	csrss.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
"C:\Users\Admin\AppData\Local\Temp\9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Users\Admin\AppData\Local\Temp\9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe
  "C:\Users\Admin\AppData\Local\Temp\9bb675f3a0231a29675dca6dfb1c990afb61f722cbe99f4c2891f21209bf6ccf.exe"
  2⤵
  - Windows security bypass
  - Windows security modification
  - Adds Run key to start application
  - Modifies data under HKEY_USERS
  PID:2632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\System32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:4668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4496
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:840
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3760
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4332
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:452
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ad0lsmy3.3rb.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
28a1a6a1c0a7c528dee5d1107cb7c680

SHA1
b6b8d6c6dd245a23ae5135ad0b230f9aed930d70

SHA256
667e4a1b6b9ffe565b0e95d44eb765a07a5087a6f274f043a5310e66c9d9f764

SHA512
5875076ec4629f90908e32b17d67ba640fabee7f2c09a95fb74891989152745582c1bb2cc88ca0fcb39e32b8ee1af82cb4e4f94681862b803aa88eab35006fb2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
aa936892f5ef1ea2ff81a24ab261e2a0

SHA1
e8654f569ab2b9a1744b187f4d9e5948127c790b

SHA256
c10f94d43b41ece2389a53e6fa9f2563256d5ab299f724eb8bc99663a697187b

SHA512
b5923a85b825e5ed1a94d22af7a41307852d8407d41f1174d3bf026253e544adf174cad0927e6b46425bb1abb2b185f16c9ba8ffbb6702e68537027665c76eea

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
abc609592985a24fae6f0a7847f613a5

SHA1
22fc7f09b49afdf25d010734b21c45f5a144dd5e

SHA256
3b8695d83aee8bdbcb551784f8c00c665a8cd7095f367111a98d5af4b17955a7

SHA512
21cc6699c0ef48fa66d7501fe933423000a0efc1d3c0da056e315cac27e2072e3c2692be0c839c955fd61c6949d468b3589c5b9ea7143e9f98dcb7e0408d299b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
a092282009bb6b55ac7bf6c7975823ef

SHA1
2d8c2858399264fa02d271df24ce955d720143f2

SHA256
ee01fd6d648dc9410c9865bedcce9f645d9aacce2ebe754c2c5a255a20be22a9

SHA512
7e16592a0310aceb221a7540b5eb2cfdb8417c0d67569a8f70ce7dcc831365b7609ece90998168e847e179304e2745ac2660cb4ecac9e6b52e21590fdf83b040

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
90559bbe0a4b1c4d8270d28caeaf7899

SHA1
875ce4db4e457ba7bb5ff1a0eaf9450532873f69

SHA256
7f9628236dbc3a28d346cc1e8a712bb661dee55c09f68836160938ceb5123137

SHA512
5a36c800c35f29eeb94e2f26aeebf68776a6c2932f29277e8e85083ceec85e5ca11c1e01f98539c1880a3a5cb8ad31a2cc2017b3b09732084d26ff4ca046a713

Download Submit
memory/2248-333-0x00000000092F0000-0x0000000009395000-memory.dmp

Filesize
660KB

Download
memory/2248-328-0x000000006FCC0000-0x0000000070010000-memory.dmp

Filesize
3.3MB

Download
memory/2248-307-0x00000000079D0000-0x0000000007D20000-memory.dmp

Filesize
3.3MB

Download
memory/2248-308-0x0000000008130000-0x000000000817B000-memory.dmp

Filesize
300KB

Download
memory/2248-327-0x000000006FC70000-0x000000006FCBB000-memory.dmp

Filesize
300KB

Download
memory/2396-550-0x0000000007E50000-0x00000000081A0000-memory.dmp

Filesize
3.3MB

Download
memory/2396-575-0x000000006FCE0000-0x0000000070030000-memory.dmp

Filesize
3.3MB

Download
memory/2396-574-0x000000006FC70000-0x000000006FCBB000-memory.dmp

Filesize
300KB

Download
memory/2456-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2456-151-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/2456-300-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/2456-302-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2456-2-0x00000000049D0000-0x00000000052BB000-memory.dmp

Filesize
8.9MB

Download
memory/2456-301-0x00000000049D0000-0x00000000052BB000-memory.dmp

Filesize
8.9MB

Download
memory/2456-1-0x00000000045D0000-0x00000000049C9000-memory.dmp

Filesize
4.0MB

Download
memory/2632-555-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/2632-303-0x0000000002960000-0x0000000002A0E000-memory.dmp

Filesize
696KB

Download
memory/2632-1031-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/2716-1137-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/2716-1767-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/2896-813-0x000000006FC70000-0x000000006FCBB000-memory.dmp

Filesize
300KB

Download
memory/2896-814-0x000000006FCC0000-0x0000000070010000-memory.dmp

Filesize
3.3MB

Download
memory/3832-66-0x0000000008A30000-0x0000000008AA6000-memory.dmp

Filesize
472KB

Download
memory/3832-11-0x0000000006B60000-0x0000000006B82000-memory.dmp

Filesize
136KB

Download
memory/3832-281-0x0000000009A30000-0x0000000009A38000-memory.dmp

Filesize
32KB

Download
memory/3832-276-0x0000000009A50000-0x0000000009A6A000-memory.dmp

Filesize
104KB

Download
memory/3832-82-0x0000000009AF0000-0x0000000009B84000-memory.dmp

Filesize
592KB

Download
memory/3832-81-0x00000000098D0000-0x0000000009975000-memory.dmp

Filesize
660KB

Download
memory/3832-76-0x0000000009870000-0x000000000988E000-memory.dmp

Filesize
120KB

Download
memory/3832-75-0x000000006FBA0000-0x000000006FEF0000-memory.dmp

Filesize
3.3MB

Download
memory/3832-74-0x000000006FB50000-0x000000006FB9B000-memory.dmp

Filesize
300KB

Download
memory/3832-73-0x0000000009890000-0x00000000098C3000-memory.dmp

Filesize
204KB

Download
memory/3832-35-0x0000000008970000-0x00000000089AC000-memory.dmp

Filesize
240KB

Download
memory/3832-16-0x0000000007940000-0x000000000798B000-memory.dmp

Filesize
300KB

Download
memory/3832-15-0x0000000007590000-0x00000000075AC000-memory.dmp

Filesize
112KB

Download
memory/3832-14-0x00000000075F0000-0x0000000007940000-memory.dmp

Filesize
3.3MB

Download
memory/3832-13-0x0000000006E50000-0x0000000006EB6000-memory.dmp

Filesize
408KB

Download
memory/3832-12-0x0000000006DE0000-0x0000000006E46000-memory.dmp

Filesize
408KB

Download
memory/3832-5-0x0000000072E4E000-0x0000000072E4F000-memory.dmp

Filesize
4KB

Download
memory/3832-299-0x0000000072E40000-0x000000007352E000-memory.dmp

Filesize
6.9MB

Download
memory/3832-7-0x00000000041E0000-0x0000000004216000-memory.dmp

Filesize
216KB

Download
memory/3832-8-0x0000000072E40000-0x000000007352E000-memory.dmp

Filesize
6.9MB

Download
memory/3832-9-0x0000000006F40000-0x0000000007568000-memory.dmp

Filesize
6.2MB

Download
memory/3832-10-0x0000000072E40000-0x000000007352E000-memory.dmp

Filesize
6.9MB

Download
memory/4332-1309-0x0000000009470000-0x0000000009515000-memory.dmp

Filesize
660KB

Download
memory/4332-1283-0x0000000007A00000-0x0000000007D50000-memory.dmp

Filesize
3.3MB

Download
memory/4332-1284-0x00000000080D0000-0x000000000811B000-memory.dmp

Filesize
300KB

Download
memory/4332-1303-0x000000006FB20000-0x000000006FB6B000-memory.dmp

Filesize
300KB

Download
memory/4332-1304-0x000000006FB70000-0x000000006FEC0000-memory.dmp

Filesize
3.3MB

Download
memory/4496-1061-0x000000006FC20000-0x000000006FF70000-memory.dmp

Filesize
3.3MB

Download
memory/4496-1066-0x0000000008EB0000-0x0000000008F55000-memory.dmp

Filesize
660KB

Download
memory/4496-1060-0x000000006FBD0000-0x000000006FC1B000-memory.dmp

Filesize
300KB

Download
memory/4496-1041-0x0000000007C60000-0x0000000007CAB000-memory.dmp

Filesize
300KB

Download
memory/4496-1039-0x0000000007440000-0x0000000007790000-memory.dmp

Filesize
3.3MB

Download
memory/4732-1524-0x0000000007770000-0x0000000007AC0000-memory.dmp

Filesize
3.3MB

Download
memory/4732-1544-0x000000006FB20000-0x000000006FB6B000-memory.dmp

Filesize
300KB

Download
memory/4732-1545-0x000000006FB90000-0x000000006FEE0000-memory.dmp

Filesize
3.3MB

Download