Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-05-2024 09:48
Static task
static1
Behavioral task
behavioral1
Sample
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe
Resource
win10v2004-20240508-en
General
-
Target
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe
-
Size
4.1MB
-
MD5
a3c419f3f21ea2b1f953b6afffa93ab3
-
SHA1
fc3d57e90e505d0ea5a1194bc0d244eac6924505
-
SHA256
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef
-
SHA512
ad6f26ce3277538232654956ebe8a07148ff4e817719c123245d107abeb94833cdd21e30602decd70bf6c8806a0a4cb8b6158ff681363dd1e9682b6a026036ac
-
SSDEEP
98304:NH49zrfgobu9aDMWAg4dPDb/NQHvakIF/A8L3rqLZk5t2qZ3qL2LAZ5q:Er7OagDbOPW/F2k5tRZaLrk
Malware Config
Signatures
-
Glupteba payload 18 IoCs
Processes:
resource yara_rule behavioral2/memory/2728-2-0x0000000002E90000-0x000000000377B000-memory.dmp family_glupteba behavioral2/memory/2728-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/2728-98-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/2728-100-0x0000000002E90000-0x000000000377B000-memory.dmp family_glupteba behavioral2/memory/4456-127-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/476-195-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/476-203-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/476-205-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/476-207-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/476-209-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/476-211-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/476-213-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/476-215-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/476-217-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/476-219-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/476-221-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/476-223-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/476-225-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 4340 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
csrss.exeinjector.exepid Process 476 csrss.exe 1932 injector.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.execsrss.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe -
Drops file in Windows directory 2 IoCs
Processes:
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exedescription ioc Process File created C:\Windows\rss\csrss.exe ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe File opened for modification C:\Windows\rss ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 4084 powershell.exe 1572 powershell.exe 2104 powershell.exe 4212 powershell.exe 3348 powershell.exe 1064 powershell.exe 1740 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 3808 schtasks.exe 1708 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.execsrss.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exepowershell.exeec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exepid Process 4084 powershell.exe 4084 powershell.exe 2728 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 2728 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 1572 powershell.exe 1572 powershell.exe 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 2104 powershell.exe 2104 powershell.exe 4212 powershell.exe 4212 powershell.exe 3348 powershell.exe 3348 powershell.exe 1064 powershell.exe 1064 powershell.exe 1740 powershell.exe 1740 powershell.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 476 csrss.exe 476 csrss.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 476 csrss.exe 476 csrss.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe 1932 injector.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
powershell.exeec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exedescription pid Process Token: SeDebugPrivilege 4084 powershell.exe Token: SeDebugPrivilege 2728 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Token: SeImpersonatePrivilege 2728 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Token: SeDebugPrivilege 1572 powershell.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 4212 powershell.exe Token: SeDebugPrivilege 3348 powershell.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeSystemEnvironmentPrivilege 476 csrss.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exeec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.execmd.execsrss.exedescription pid Process procid_target PID 2728 wrote to memory of 4084 2728 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 79 PID 2728 wrote to memory of 4084 2728 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 79 PID 2728 wrote to memory of 4084 2728 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 79 PID 4456 wrote to memory of 1572 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 84 PID 4456 wrote to memory of 1572 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 84 PID 4456 wrote to memory of 1572 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 84 PID 4456 wrote to memory of 1108 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 86 PID 4456 wrote to memory of 1108 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 86 PID 1108 wrote to memory of 4340 1108 cmd.exe 88 PID 1108 wrote to memory of 4340 1108 cmd.exe 88 PID 4456 wrote to memory of 2104 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 89 PID 4456 wrote to memory of 2104 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 89 PID 4456 wrote to memory of 2104 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 89 PID 4456 wrote to memory of 4212 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 91 PID 4456 wrote to memory of 4212 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 91 PID 4456 wrote to memory of 4212 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 91 PID 4456 wrote to memory of 476 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 93 PID 4456 wrote to memory of 476 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 93 PID 4456 wrote to memory of 476 4456 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 93 PID 476 wrote to memory of 3348 476 csrss.exe 94 PID 476 wrote to memory of 3348 476 csrss.exe 94 PID 476 wrote to memory of 3348 476 csrss.exe 94 PID 476 wrote to memory of 1064 476 csrss.exe 99 PID 476 wrote to memory of 1064 476 csrss.exe 99 PID 476 wrote to memory of 1064 476 csrss.exe 99 PID 476 wrote to memory of 1740 476 csrss.exe 102 PID 476 wrote to memory of 1740 476 csrss.exe 102 PID 476 wrote to memory of 1740 476 csrss.exe 102 PID 476 wrote to memory of 1932 476 csrss.exe 104 PID 476 wrote to memory of 1932 476 csrss.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe"C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe"C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4340
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3348
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3808
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:3024
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1932
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1708
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5595d84634876f215969d5b7dd7161e68
SHA1295a03e3fdfd9627152423b6e3ab4e1da9926b27
SHA256fa0a5449ed163f74bf0b64947156d6bbf8ff6c8efbb993a45123585d7c366a8e
SHA51287f9aabf9fc1fdbcea1e3eb7bdaefa33e3f8ee86ada7f83f1bac5214173557808299f8846832055d27ad6bbf94f9fa3b07128e7ee566b68e2da240d7c2e3e9fb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD589f45b04b175da47c3818a204441923e
SHA1abf86afdcb9078d690e6a06f1caa9c8e45cfc7c1
SHA2560d44dbc40b2dd74e51c4d27f2ed5f8ee41e3cb0535111570294383c3519f55c7
SHA512a3ab064e4c648211efc0872b0dca62775108cf369b4fe873e973497cb41adc2791ccc37de373f3d908c199c69563c2b56af148f6a8b9a61e3bdd88802e1625ad
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5fbcf625d8d2ef66696b9ba8815c13726
SHA16da9b33388b703103a620f84a7e565302fe41cb8
SHA256391a97f33642a4d9f70d5f384e0aeb9aff175b65f631304b0e0db3a287275926
SHA51201d973e4c466002a97ae366ffaa8b13855f1dde8c7a17fb812c960c24d9dfd5c05d138c33f110f63f3a9c2426292988d757fc186fa608e4dcdf594654a4b3b90
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c066338eb89297c30bc644627066ddd8
SHA18b8112ee491bc0d8dd5350a090fa1d8e40ab43ba
SHA256a6d270847422f2b7db6d9c863658b4048788fa843d3aa9c4b792c98759be34ab
SHA5123a8cb4596f1a9813f9ebf259b3231c8d688a495d6424e3743dffd539a139972cd3e8cfc9a944bab4cc08a09e6bd22d50acd3ddbfbf6798a402f252de1ff72055
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD51321bb4ad65f54aedc6c3861cd12e556
SHA17966d6ca95b5c5d7519e16e6ce2bc90ce34104ea
SHA2569633932f18afaf1fa695cee19c5eb32e5d3e778d58715aefc7643feb61438bcb
SHA51215339b52873c7326fa053af5be494e10406c5317df9900150e725869dccc5460eb491e4f6333b45b36b236c2e6c4bc89abe2c1c50a99e193984fe7b1fb29f844
-
Filesize
4.1MB
MD5a3c419f3f21ea2b1f953b6afffa93ab3
SHA1fc3d57e90e505d0ea5a1194bc0d244eac6924505
SHA256ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef
SHA512ad6f26ce3277538232654956ebe8a07148ff4e817719c123245d107abeb94833cdd21e30602decd70bf6c8806a0a4cb8b6158ff681363dd1e9682b6a026036ac