Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-05-2024 04:24
Static task
static1
Behavioral task
behavioral1
Sample
531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe
Resource
win10v2004-20240508-en
General
-
Target
531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe
-
Size
4.1MB
-
MD5
ba49a793688f2bda96b759608bb621e6
-
SHA1
1ede6cf35f51391e0ada19ab1476194008b91fd3
-
SHA256
531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f
-
SHA512
37dd616cad979b6388ff6a26857bf5e044c4f861a203972090cb9d3df8ee509848b01f4d018d43a2a896ff7ad47b5e31ca3ef4577f98edb9388a176469850455
-
SSDEEP
98304:J96GAmuNBigEkoqfZTwC6uGlBZNljS4jcv:JI9hoq9wC6uGlB/xgv
Malware Config
Signatures
-
Glupteba payload 17 IoCs
resource yara_rule behavioral2/memory/1408-2-0x0000000002E60000-0x000000000374B000-memory.dmp family_glupteba behavioral2/memory/1408-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1408-76-0x0000000002E60000-0x000000000374B000-memory.dmp family_glupteba behavioral2/memory/1408-74-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3428-134-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1556-198-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1556-210-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1556-213-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1556-217-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1556-223-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1556-226-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1556-229-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1556-235-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1556-239-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1556-242-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1556-245-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1556-251-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4352 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 1556 csrss.exe 1904 injector.exe 1488 windefender.exe 3836 windefender.exe -
resource yara_rule behavioral2/files/0x000100000002aa23-203.dat upx behavioral2/memory/1488-204-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1488-208-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/3836-214-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/3836-221-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe File created C:\Windows\rss\csrss.exe 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3172 sc.exe -
pid Process 3784 powershell.exe 1800 powershell.exe 3068 powershell.exe 4056 powershell.exe 4676 powershell.exe 3116 powershell.exe 4848 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3532 schtasks.exe 4392 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1800 powershell.exe 1800 powershell.exe 1408 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 1408 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 3068 powershell.exe 3068 powershell.exe 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 4056 powershell.exe 4056 powershell.exe 4676 powershell.exe 4676 powershell.exe 3116 powershell.exe 3116 powershell.exe 4848 powershell.exe 4848 powershell.exe 3784 powershell.exe 3784 powershell.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1556 csrss.exe 1556 csrss.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1556 csrss.exe 1556 csrss.exe 1904 injector.exe 1904 injector.exe 1556 csrss.exe 1556 csrss.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe 1904 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 1800 powershell.exe Token: SeDebugPrivilege 1408 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Token: SeImpersonatePrivilege 1408 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 4056 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeDebugPrivilege 3116 powershell.exe Token: SeDebugPrivilege 4848 powershell.exe Token: SeDebugPrivilege 3784 powershell.exe Token: SeSystemEnvironmentPrivilege 1556 csrss.exe Token: SeSecurityPrivilege 3172 sc.exe Token: SeSecurityPrivilege 3172 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1408 wrote to memory of 1800 1408 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 82 PID 1408 wrote to memory of 1800 1408 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 82 PID 1408 wrote to memory of 1800 1408 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 82 PID 3428 wrote to memory of 3068 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 87 PID 3428 wrote to memory of 3068 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 87 PID 3428 wrote to memory of 3068 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 87 PID 3428 wrote to memory of 5024 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 89 PID 3428 wrote to memory of 5024 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 89 PID 5024 wrote to memory of 4352 5024 cmd.exe 91 PID 5024 wrote to memory of 4352 5024 cmd.exe 91 PID 3428 wrote to memory of 4056 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 92 PID 3428 wrote to memory of 4056 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 92 PID 3428 wrote to memory of 4056 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 92 PID 3428 wrote to memory of 4676 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 94 PID 3428 wrote to memory of 4676 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 94 PID 3428 wrote to memory of 4676 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 94 PID 3428 wrote to memory of 1556 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 96 PID 3428 wrote to memory of 1556 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 96 PID 3428 wrote to memory of 1556 3428 531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe 96 PID 1556 wrote to memory of 3116 1556 csrss.exe 97 PID 1556 wrote to memory of 3116 1556 csrss.exe 97 PID 1556 wrote to memory of 3116 1556 csrss.exe 97 PID 1556 wrote to memory of 4848 1556 csrss.exe 102 PID 1556 wrote to memory of 4848 1556 csrss.exe 102 PID 1556 wrote to memory of 4848 1556 csrss.exe 102 PID 1556 wrote to memory of 3784 1556 csrss.exe 105 PID 1556 wrote to memory of 3784 1556 csrss.exe 105 PID 1556 wrote to memory of 3784 1556 csrss.exe 105 PID 1556 wrote to memory of 1904 1556 csrss.exe 107 PID 1556 wrote to memory of 1904 1556 csrss.exe 107 PID 1488 wrote to memory of 2256 1488 windefender.exe 113 PID 1488 wrote to memory of 2256 1488 windefender.exe 113 PID 1488 wrote to memory of 2256 1488 windefender.exe 113 PID 2256 wrote to memory of 3172 2256 cmd.exe 114 PID 2256 wrote to memory of 3172 2256 cmd.exe 114 PID 2256 wrote to memory of 3172 2256 cmd.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe"C:\Users\Admin\AppData\Local\Temp\531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe"C:\Users\Admin\AppData\Local\Temp\531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4352
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3532
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4800
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1904
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4392
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3836
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c93b2bf9c2349fa0d563547a8856a7e1
SHA18c3571f82c3b1aee01faefeb6c70fddddc0fff44
SHA256ee905c8fdbf1b87059975f322bb00540b5a551d9d115c42d637e7f3674745bc1
SHA512e11893ae61232c5032a7d32e910a3658ce3f27b05937fec5b9afeab7934ba293a1ba669974a7116db2fcbcb70b47a4041f2e57f1d4e628b57d926074c68a6b8f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD53d89493b0d0960147991684a4bf91cc6
SHA1b2a959c82d7ac0cd2bb7fc5ae43e503b222730a4
SHA256647da5f690ab5bf97928ad86932258a47e57b6eb324c7a48b8eb83be6b10170b
SHA512804dc4969fa4a9336421c35f7d81ca49074977fc5e5b957d1c2f99e55ae1fe629e8e65af71e41328dfa7be40d47db2e9c6712eaa551a7b597faad2d3f6ba4934
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD52dc8f4a9c53ea6c0ed37fa3a5a7d0af6
SHA19a84fa90a726a647d3cb2edfcb1b8e02505a535e
SHA256e164baa29adf32f2e63ec5509206150fc1c1ed5601ea127f11aa4fcc83c05312
SHA512a9e7a51c25d4f30d79c9aae656fd04112ca0dc6340bac6ef21aa52c53ee4b09446905fcf5c85002ff14eb959013e7ae7f6d5319f6178d07c42be8846d681b36d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5104de14e1bac3310b3062ffc73563420
SHA155087158c0b3f0479ab86cc59370e166e29e2828
SHA2561586a8ab6d92818a0299a22de552261abdc16c662b9c11ed209a7e0c314c1836
SHA5124174d76e77079d6fc876c971d1982099c1de8136251c284196cc095a9ea47ba4f59c05ac965b3dc906e4957fcbbfd39d51d3ab8210ee27a7336532df2cc985ce
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5508f5b3d6436e16260f601a5a84ef927
SHA141836b9bc06c5cb9a7b8da33fad8e0af25af12ee
SHA2563c79ec166eb6fe127a6c15ddb34a8462cd395384313ff0b06321bc4d5815ba93
SHA512f0e28ec4371e65062cde8105b4935c24fcafdf3e6c4271898c2a655bbcbe21be598d61131f67ca1bffd89458965893ea8f3f9510b8f68be9193996ad197d0e47
-
Filesize
4.1MB
MD5ba49a793688f2bda96b759608bb621e6
SHA11ede6cf35f51391e0ada19ab1476194008b91fd3
SHA256531922390b051ccefe8e7594c491ee301770ac2c3802dda2478b8ea0a5b1ac2f
SHA51237dd616cad979b6388ff6a26857bf5e044c4f861a203972090cb9d3df8ee509848b01f4d018d43a2a896ff7ad47b5e31ca3ef4577f98edb9388a176469850455
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec