Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 09:46
Static task
static1
Behavioral task
behavioral1
Sample
6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe
Resource
win10v2004-20240426-en
General
-
Target
6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe
-
Size
4.1MB
-
MD5
4c58c133e68b68616ce107d2c6aae47e
-
SHA1
945d2c7ac7af222137d386b74635c9441a54d303
-
SHA256
6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee
-
SHA512
15fb6e2d86f181f49b90e293ed89ca225faf63ab1bb322b719b920a1e1df38ccc93f0e5c014be9920c5b0b9df4439df26627a298c1ea3e3288a5587f8eedaa45
-
SSDEEP
98304:tH49zrfgobu9aDMWAg4dPDb/NQHvakIF/A8L3rqLZk5t2qZ3qL2LAZ53:kr7OagDbOPW/F2k5tRZaLrN
Malware Config
Signatures
-
Glupteba payload 19 IoCs
Processes:
resource yara_rule behavioral1/memory/1572-2-0x0000000002D30000-0x000000000361B000-memory.dmp family_glupteba behavioral1/memory/1572-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/1572-55-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/1572-56-0x0000000002D30000-0x000000000361B000-memory.dmp family_glupteba behavioral1/memory/2064-58-0x00000000029E0000-0x0000000002DE6000-memory.dmp family_glupteba behavioral1/memory/2064-136-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3076-221-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3076-230-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3076-231-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3076-233-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3076-236-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3076-238-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3076-239-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3076-241-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3076-244-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3076-246-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3076-247-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3076-249-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3076-252-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 1276 netsh.exe -
Executes dropped EXE 4 IoCs
Processes:
csrss.exeinjector.exewindefender.exewindefender.exepid Process 3076 csrss.exe 1872 injector.exe 1604 windefender.exe 4688 windefender.exe -
Processes:
resource yara_rule behavioral1/files/0x000900000002340d-224.dat upx behavioral1/memory/1604-225-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4688-228-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/1604-229-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4688-232-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4688-235-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4688-242-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.execsrss.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe -
Drops file in Windows directory 4 IoCs
Processes:
csrss.exe6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exedescription ioc Process File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe File created C:\Windows\rss\csrss.exe 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe File created C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 2396 sc.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 2300 powershell.exe 2572 powershell.exe 1280 powershell.exe 2452 powershell.exe 2224 powershell.exe 4732 powershell.exe 3584 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2516 schtasks.exe 4784 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
windefender.exe6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exe6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exepowershell.exe6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exepid Process 2300 powershell.exe 2300 powershell.exe 1572 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 1572 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 2572 powershell.exe 2572 powershell.exe 2572 powershell.exe 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 1280 powershell.exe 1280 powershell.exe 2452 powershell.exe 2452 powershell.exe 2224 powershell.exe 2224 powershell.exe 4732 powershell.exe 4732 powershell.exe 3584 powershell.exe 3584 powershell.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 3076 csrss.exe 3076 csrss.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 3076 csrss.exe 3076 csrss.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 3076 csrss.exe 3076 csrss.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe 1872 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
powershell.exe6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exedescription pid Process Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 1572 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Token: SeImpersonatePrivilege 1572 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 4732 powershell.exe Token: SeDebugPrivilege 3584 powershell.exe Token: SeSystemEnvironmentPrivilege 3076 csrss.exe Token: SeSecurityPrivilege 2396 sc.exe Token: SeSecurityPrivilege 2396 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.execmd.execsrss.exewindefender.execmd.exedescription pid Process procid_target PID 1572 wrote to memory of 2300 1572 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 88 PID 1572 wrote to memory of 2300 1572 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 88 PID 1572 wrote to memory of 2300 1572 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 88 PID 2064 wrote to memory of 2572 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 97 PID 2064 wrote to memory of 2572 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 97 PID 2064 wrote to memory of 2572 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 97 PID 2064 wrote to memory of 4572 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 102 PID 2064 wrote to memory of 4572 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 102 PID 4572 wrote to memory of 1276 4572 cmd.exe 104 PID 4572 wrote to memory of 1276 4572 cmd.exe 104 PID 2064 wrote to memory of 1280 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 105 PID 2064 wrote to memory of 1280 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 105 PID 2064 wrote to memory of 1280 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 105 PID 2064 wrote to memory of 2452 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 107 PID 2064 wrote to memory of 2452 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 107 PID 2064 wrote to memory of 2452 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 107 PID 2064 wrote to memory of 3076 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 109 PID 2064 wrote to memory of 3076 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 109 PID 2064 wrote to memory of 3076 2064 6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe 109 PID 3076 wrote to memory of 2224 3076 csrss.exe 110 PID 3076 wrote to memory of 2224 3076 csrss.exe 110 PID 3076 wrote to memory of 2224 3076 csrss.exe 110 PID 3076 wrote to memory of 4732 3076 csrss.exe 115 PID 3076 wrote to memory of 4732 3076 csrss.exe 115 PID 3076 wrote to memory of 4732 3076 csrss.exe 115 PID 3076 wrote to memory of 3584 3076 csrss.exe 118 PID 3076 wrote to memory of 3584 3076 csrss.exe 118 PID 3076 wrote to memory of 3584 3076 csrss.exe 118 PID 3076 wrote to memory of 1872 3076 csrss.exe 120 PID 3076 wrote to memory of 1872 3076 csrss.exe 120 PID 1604 wrote to memory of 4520 1604 windefender.exe 127 PID 1604 wrote to memory of 4520 1604 windefender.exe 127 PID 1604 wrote to memory of 4520 1604 windefender.exe 127 PID 4520 wrote to memory of 2396 4520 cmd.exe 128 PID 4520 wrote to memory of 2396 4520 cmd.exe 128 PID 4520 wrote to memory of 2396 4520 cmd.exe 128 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe"C:\Users\Admin\AppData\Local\Temp\6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe"C:\Users\Admin\AppData\Local\Temp\6acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1276
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4784
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2176
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1872
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2516
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4688
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5bc3cdaaca40b99325325441365e2f6f6
SHA1b010debabb84dec65ab4f04b6a75b7d8f995ae35
SHA256303c2cee62d6b9e5dc870dbfc431716c2a7a1e153e8ee08448ce4ae209d839f4
SHA51235ea723b8572fa49876cccf87d3a401f2a1cefbafed851b5d468ec566c73e0943176d6ff86932dec8c5ac8033a1c7a3146c87e12a2716df8e1a565817b9592c6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD597679eb3e8fccc3868d8fc949003bd84
SHA1b38787cf88e9b5582e59c041546046ac42e87a21
SHA25655b23d843f8fda3d65dbc9e66509d9d1981cd40c352350baa30fd14ea343c200
SHA5126130a4f699cb5fb3ee04be9cc9490d2680a4b8c9da171984bfc20fbc6e60e11ec3b24c3979f1758ac1f6ad5361050f4b5a6e145b63ff82bc8a472fcf9f168780
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5fa5fcc54c52bee2c761e868cf08e4878
SHA11201a3533d288ad710429b75505289d614ff8c94
SHA256ea998ecaa2e833ec216344fb9315ea0c11831f11c7c242a0016e597cdec639fe
SHA5122dc1d49929e2e9e42ff8d9590c59ded56169de99d23f337ca8a142bcce8ece0876448e9fedd3e0555d88cd7ba9a4989f5d3dc6e21940e667d385a46eb5dd59c0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD51fc98938cd815e451b42c4b05702d8ee
SHA1a403f8063ce1b4197a486b4249bfbb4b5f3ec7f2
SHA2560754df80290ee4bba8d7cf1bc57808cf6a5fb5994982d37010f4f676c3fa0ecc
SHA51245fee797eb9d95f6a3284a4e7fd27c3e4e010ca05e76ec2db33153ef1440ef77fe9448b3b4eef8d4dbad6853a196fc9ef5bf1ee1d8b51210b6d1af4ad822d5ee
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD52dd398041bbb8507eb27f252094f25ca
SHA15c4228f24712430e95625a87411ef8c8efebb223
SHA256ad9ed6ca3100cc6dde23702fe3c0dda96ad6050008ff1dd90cc0334beff5cc02
SHA512eccb3a519347126426059792e207b21d664ac156212b60eeb7e47c9ca93175eb01f5661596400f629f5bbf24ed3195de8f7dfc36dff28af04c9bf49ab1e2d8eb
-
Filesize
4.1MB
MD54c58c133e68b68616ce107d2c6aae47e
SHA1945d2c7ac7af222137d386b74635c9441a54d303
SHA2566acc81e88b5a05507a690f3bf7b36b10d6b841b0269e33f66eff4d321a2fb2ee
SHA51215fb6e2d86f181f49b90e293ed89ca225faf63ab1bb322b719b920a1e1df38ccc93f0e5c014be9920c5b0b9df4439df26627a298c1ea3e3288a5587f8eedaa45
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec