Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-05-2024 09:45
Static task
static1
Behavioral task
behavioral1
Sample
44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe
Resource
win10v2004-20240426-en
General
-
Target
44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe
-
Size
4.1MB
-
MD5
0daf5e326061c070849efb41ec2479f6
-
SHA1
d047abb419a0b0751f5f9776581e2eccf2203c00
-
SHA256
44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24
-
SHA512
bfb0213969194c4f87ea602d9a7cf9a84e49e72c735a52803cc447c5850ebd1ef5421535577fad7fa47277d32d93408f8979626a4d71a18b1df3844d56537521
-
SSDEEP
98304:9H49zrfgobu9aDMWAg4dPDb/NQHvakIF/A8L3rqLZk5t2qZ3qL2LAZ5J:Ur7OagDbOPW/F2k5tRZaLrn
Malware Config
Signatures
-
Glupteba payload 19 IoCs
Processes:
resource yara_rule behavioral2/memory/564-2-0x0000000002E60000-0x000000000374B000-memory.dmp family_glupteba behavioral2/memory/564-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/564-52-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/564-53-0x0000000002E60000-0x000000000374B000-memory.dmp family_glupteba behavioral2/memory/2352-123-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/2352-128-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3536-201-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3536-208-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3536-217-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3536-219-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3536-221-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3536-223-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3536-225-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3536-227-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3536-229-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3536-231-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3536-233-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3536-235-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3536-237-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 4472 netsh.exe -
Executes dropped EXE 4 IoCs
Processes:
csrss.exeinjector.exewindefender.exewindefender.exepid Process 3536 csrss.exe 4832 injector.exe 4768 windefender.exe 564 windefender.exe -
Processes:
resource yara_rule behavioral2/files/0x000700000002a8e2-211.dat upx behavioral2/memory/4768-212-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/564-215-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4768-216-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/564-218-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/564-222-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.execsrss.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe -
Drops file in Windows directory 4 IoCs
Processes:
44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.execsrss.exedescription ioc Process File opened for modification C:\Windows\rss 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe File created C:\Windows\rss\csrss.exe 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 1872 sc.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 1420 powershell.exe 4732 powershell.exe 1408 powershell.exe 3628 powershell.exe 1876 powershell.exe 664 powershell.exe 3564 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 1884 schtasks.exe 4332 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exepowershell.exepowershell.exepowershell.exepowershell.exewindefender.exepowershell.exepowershell.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exe44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exepowershell.exe44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exepid Process 664 powershell.exe 664 powershell.exe 564 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 564 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 3564 powershell.exe 3564 powershell.exe 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 1420 powershell.exe 1420 powershell.exe 4732 powershell.exe 4732 powershell.exe 1408 powershell.exe 1408 powershell.exe 3628 powershell.exe 3628 powershell.exe 1876 powershell.exe 1876 powershell.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 3536 csrss.exe 3536 csrss.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 3536 csrss.exe 3536 csrss.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 3536 csrss.exe 3536 csrss.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe 4832 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
powershell.exe44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exedescription pid Process Token: SeDebugPrivilege 664 powershell.exe Token: SeDebugPrivilege 564 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Token: SeImpersonatePrivilege 564 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe Token: SeDebugPrivilege 3564 powershell.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 4732 powershell.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeDebugPrivilege 1876 powershell.exe Token: SeSystemEnvironmentPrivilege 3536 csrss.exe Token: SeSecurityPrivilege 1872 sc.exe Token: SeSecurityPrivilege 1872 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.execmd.execsrss.exewindefender.execmd.exedescription pid Process procid_target PID 564 wrote to memory of 664 564 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 82 PID 564 wrote to memory of 664 564 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 82 PID 564 wrote to memory of 664 564 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 82 PID 2352 wrote to memory of 3564 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 87 PID 2352 wrote to memory of 3564 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 87 PID 2352 wrote to memory of 3564 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 87 PID 2352 wrote to memory of 2196 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 89 PID 2352 wrote to memory of 2196 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 89 PID 2196 wrote to memory of 4472 2196 cmd.exe 91 PID 2196 wrote to memory of 4472 2196 cmd.exe 91 PID 2352 wrote to memory of 1420 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 92 PID 2352 wrote to memory of 1420 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 92 PID 2352 wrote to memory of 1420 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 92 PID 2352 wrote to memory of 4732 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 94 PID 2352 wrote to memory of 4732 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 94 PID 2352 wrote to memory of 4732 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 94 PID 2352 wrote to memory of 3536 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 96 PID 2352 wrote to memory of 3536 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 96 PID 2352 wrote to memory of 3536 2352 44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe 96 PID 3536 wrote to memory of 1408 3536 csrss.exe 97 PID 3536 wrote to memory of 1408 3536 csrss.exe 97 PID 3536 wrote to memory of 1408 3536 csrss.exe 97 PID 3536 wrote to memory of 3628 3536 csrss.exe 103 PID 3536 wrote to memory of 3628 3536 csrss.exe 103 PID 3536 wrote to memory of 3628 3536 csrss.exe 103 PID 3536 wrote to memory of 1876 3536 csrss.exe 105 PID 3536 wrote to memory of 1876 3536 csrss.exe 105 PID 3536 wrote to memory of 1876 3536 csrss.exe 105 PID 3536 wrote to memory of 4832 3536 csrss.exe 107 PID 3536 wrote to memory of 4832 3536 csrss.exe 107 PID 4768 wrote to memory of 240 4768 windefender.exe 117 PID 4768 wrote to memory of 240 4768 windefender.exe 117 PID 4768 wrote to memory of 240 4768 windefender.exe 117 PID 240 wrote to memory of 1872 240 cmd.exe 118 PID 240 wrote to memory of 1872 240 cmd.exe 118 PID 240 wrote to memory of 1872 240 cmd.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe"C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe"C:\Users\Admin\AppData\Local\Temp\44439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4472
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1884
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:3376
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4832
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4332
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:564
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5b5b12d5b724b2be7f855305e3367e7ed
SHA151a7b59a575b22c5885b4ba2015dcb945b84776b
SHA2564349b6289d058b71b66285c7ed3f559a11bf2b4f60c95666a0ceb92b1c1eacbd
SHA5124b4bd4e2f85ec9f68fd985482f253b929bc285ea99ae71c13d8f2e72eca5b4de3dbca5ddc0e50ea6ebfc67e6ab59210379438d59967f7ad2019712a8abc5ef2e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD51fba23264d367a4d7aee2d79ef798134
SHA1f98290a24a27da2f76ff7763bc29c95bbeeadcd0
SHA25625713c406b0c1fef9ead996c2b97f9d5a3cd6aadc7ae5bc03b09aaac3fd174bc
SHA512b468c9dafb9ef90b694fe2ffdb37afab6c38c21dba9c7dfe290a9e7566e708028eb252d5b210410dba4867025ed9dab59d50aa4ae8be4fcfbf6589778382c0bc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a3d29e05dc8de523820cc7345b94f29d
SHA139089fec0197caadb345b25716872ecaf07fd2b5
SHA256b4c2d0135e8fcf8ed14bb19717dae74f6f5ff5f3ace200e236d503d30a7943b9
SHA5120ae57d650c2e31c250a1fceda54b415abc4b30a23bd339578a6cb9ab5f9895c7f1fbf905f0a0ef4311d07eb5ad4b0ad5ed4d13172a93b46dec04dc0cb4248a58
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD573874ed0024200ce5e109ec3b4b29bc4
SHA167b34a2e92801fdaf05a5f348cb87a635e30da89
SHA2564ac7182749487372605e292569c94acb03f25ada95314105c1dff8502912536e
SHA512db6e43184bbdd284a8e5dd85e994cb6121635ffa8540b56ae99ab3acdbc5abf17fb44f76a9bbf26a704ed1918cafcd5e3091c4e7355c1f65d17d7156c419e2b1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5749c1c4116eff054cb0cd4785dab9d04
SHA1c9f59b6903553bc930139e84d08946856e1dfb32
SHA256bd84399556324d6909874dcbf9059397afc87e10022df8b3db16abe175dfb128
SHA512ac1aaf9ed0d4fe07df6cf8ba51f110f34652a9f803d4b76875f163de6eba81e015e7b1c15b2a4769fdcb1e9deb982c9ea37a7fe57ab8fd655538a6880c57d2ba
-
Filesize
4.1MB
MD50daf5e326061c070849efb41ec2479f6
SHA1d047abb419a0b0751f5f9776581e2eccf2203c00
SHA25644439a046d976e4118c81ec55701459b1da5e34d91f01de30cc993b61a6e2e24
SHA512bfb0213969194c4f87ea602d9a7cf9a84e49e72c735a52803cc447c5850ebd1ef5421535577fad7fa47277d32d93408f8979626a4d71a18b1df3844d56537521
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec