Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-05-2024 10:20
Static task
static1
Behavioral task
behavioral1
Sample
c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe
Resource
win10v2004-20240426-en
General
-
Target
c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe
-
Size
4.1MB
-
MD5
ff517167739e9a3c22813702ea067be5
-
SHA1
db22cfd1119e1be0366774ea74b35e07644bffbc
-
SHA256
c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef
-
SHA512
8b891d1c798643fa7b89e139af4ff97a3ee8b554a6f9b8a54a99ebe9d7638b1ee9465a4d760904b3a2e30aa38cb49b242e02bca7f5e8036c752296518b106ecd
-
SSDEEP
98304:1BH5QtHgtXZGwxAeX68LG3wNCsYjHyiS0gsLIyJOWEFSdaDQG3a9nt1:1BZQtHgtXlxHq4G3ixkyiJTOnSQDy9nD
Malware Config
Signatures
-
Glupteba payload 17 IoCs
Processes:
resource yara_rule behavioral2/memory/4512-2-0x0000000002E30000-0x000000000371B000-memory.dmp family_glupteba behavioral2/memory/4512-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4512-74-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4512-76-0x0000000002E30000-0x000000000371B000-memory.dmp family_glupteba behavioral2/memory/1012-125-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1916-194-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1916-210-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1916-212-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1916-215-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1916-218-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1916-220-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1916-223-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1916-227-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1916-230-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1916-232-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1916-235-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1916-239-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 1188 netsh.exe -
Executes dropped EXE 4 IoCs
Processes:
csrss.exeinjector.exewindefender.exewindefender.exepid Process 1916 csrss.exe 416 injector.exe 3804 windefender.exe 1304 windefender.exe -
Processes:
resource yara_rule behavioral2/files/0x000200000002aa16-203.dat upx behavioral2/memory/3804-205-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1304-207-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/3804-208-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1304-213-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1304-219-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.execsrss.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe -
Drops file in Windows directory 4 IoCs
Processes:
c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.execsrss.exedescription ioc Process File opened for modification C:\Windows\rss c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe File created C:\Windows\rss\csrss.exe c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 1436 sc.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 1900 powershell.exe 3164 powershell.exe 4952 powershell.exe 5008 powershell.exe 5108 powershell.exe 1068 powershell.exe 3596 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2824 schtasks.exe 3844 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exewindefender.exepowershell.exec2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exepowershell.exepowershell.exepowershell.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" windefender.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exec2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exepowershell.exec2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exepid Process 3596 powershell.exe 3596 powershell.exe 4512 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 4512 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 1900 powershell.exe 1900 powershell.exe 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 3164 powershell.exe 3164 powershell.exe 4952 powershell.exe 4952 powershell.exe 5008 powershell.exe 5008 powershell.exe 5108 powershell.exe 5108 powershell.exe 1068 powershell.exe 1068 powershell.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 1916 csrss.exe 1916 csrss.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 1916 csrss.exe 1916 csrss.exe 416 injector.exe 416 injector.exe 1916 csrss.exe 1916 csrss.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe 416 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
powershell.exec2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exedescription pid Process Token: SeDebugPrivilege 3596 powershell.exe Token: SeDebugPrivilege 4512 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Token: SeImpersonatePrivilege 4512 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe Token: SeDebugPrivilege 1900 powershell.exe Token: SeDebugPrivilege 3164 powershell.exe Token: SeDebugPrivilege 4952 powershell.exe Token: SeDebugPrivilege 5008 powershell.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeSystemEnvironmentPrivilege 1916 csrss.exe Token: SeSecurityPrivilege 1436 sc.exe Token: SeSecurityPrivilege 1436 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exec2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.execmd.execsrss.exewindefender.execmd.exedescription pid Process procid_target PID 4512 wrote to memory of 3596 4512 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 82 PID 4512 wrote to memory of 3596 4512 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 82 PID 4512 wrote to memory of 3596 4512 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 82 PID 1012 wrote to memory of 1900 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 87 PID 1012 wrote to memory of 1900 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 87 PID 1012 wrote to memory of 1900 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 87 PID 1012 wrote to memory of 2308 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 89 PID 1012 wrote to memory of 2308 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 89 PID 2308 wrote to memory of 1188 2308 cmd.exe 91 PID 2308 wrote to memory of 1188 2308 cmd.exe 91 PID 1012 wrote to memory of 3164 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 92 PID 1012 wrote to memory of 3164 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 92 PID 1012 wrote to memory of 3164 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 92 PID 1012 wrote to memory of 4952 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 94 PID 1012 wrote to memory of 4952 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 94 PID 1012 wrote to memory of 4952 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 94 PID 1012 wrote to memory of 1916 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 96 PID 1012 wrote to memory of 1916 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 96 PID 1012 wrote to memory of 1916 1012 c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe 96 PID 1916 wrote to memory of 5008 1916 csrss.exe 97 PID 1916 wrote to memory of 5008 1916 csrss.exe 97 PID 1916 wrote to memory of 5008 1916 csrss.exe 97 PID 1916 wrote to memory of 5108 1916 csrss.exe 102 PID 1916 wrote to memory of 5108 1916 csrss.exe 102 PID 1916 wrote to memory of 5108 1916 csrss.exe 102 PID 1916 wrote to memory of 1068 1916 csrss.exe 105 PID 1916 wrote to memory of 1068 1916 csrss.exe 105 PID 1916 wrote to memory of 1068 1916 csrss.exe 105 PID 1916 wrote to memory of 416 1916 csrss.exe 107 PID 1916 wrote to memory of 416 1916 csrss.exe 107 PID 3804 wrote to memory of 2908 3804 windefender.exe 113 PID 3804 wrote to memory of 2908 3804 windefender.exe 113 PID 3804 wrote to memory of 2908 3804 windefender.exe 113 PID 2908 wrote to memory of 1436 2908 cmd.exe 114 PID 2908 wrote to memory of 1436 2908 cmd.exe 114 PID 2908 wrote to memory of 1436 2908 cmd.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe"C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe"C:\Users\Admin\AppData\Local\Temp\c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1188
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2824
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4496
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:416
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3844
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1304
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c75cc32b8686baac5beb024f7ade7aed
SHA12ebd3c3909d866d66cd30797d8aed39fa573d4d8
SHA2565ffc2ee70d906546014bda64fb377bdbb11cfde4a88837384e561d1614878fcf
SHA512b85ce257fff37a0d6605f975454fbf4769f2e7e92c15cec610658af9f5df31945827c195d6cdaca0ebb2ada3f820380b498a8d3f4c81362f8d38a740fb015d35
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5bd56635a9e3f19cf8a714a0b72d45ebf
SHA1f29e5785687b397832ad5738110ad51e4a954e9f
SHA2568a02cf892d0dd9c738d0f565b8d0ef9344eecaaac4324299249f0a153575b7a9
SHA512fc7cb6c67ba50bc2b6f84263c8d2ae060264e5129db54ecd8c7d682f8fd7befc174e74d20b57ebc8ac8d2eff23bf619011897c1c27c080ce6e4f67e99ceeb6c2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD524ada7b355bb39dbfff5854eacd745ef
SHA1732e946c81368230762fc592e2d31abb12dca367
SHA256a63ccf9d8657d3e2eccefb0bdc1f2ce8b19ec0cf6111c2964aede074546fbf35
SHA512d2ba358bbf4e6be06a51afa01304796d0a729953c18f4893be699fd49448585af6acef0dc1bfe07de7dd6602bc6675eb15e30a008a268aeda95fa561e71f2389
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD59b7b39839e6ed5752965d2a375625dc1
SHA19d0cf622f1231e3bdd4e2b45cd203e7a4f3dbfbf
SHA256f2f9718eb65fc9ebf3480a49c91b0d8d762a77d403a645b5578ccbed2f61374c
SHA5122cea9482795954a9b97440d35707e1be2060c7831d37f700becd2dafee4302753f0a2e54d450616fd8a9a0a29105a930b47f24b8cd4fcfc68b37de905dc4cbcb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5918551cfdb61af95bd59cb291e147f40
SHA1abf0a4d12f32eefd4acc2d339ce7b6e9be239695
SHA256de734370c9747675d0734b753374fac2cf74b8e66a197e9718e958462945b2eb
SHA512159b1e75e87ad5109512c83b3ba565d74e21594765626085ac55a60bc9c435f54dfb8f9e67c91af0bb9b1054b150bdfbc1869635fb0dc983c2dec7d7e525ca48
-
Filesize
4.1MB
MD5ff517167739e9a3c22813702ea067be5
SHA1db22cfd1119e1be0366774ea74b35e07644bffbc
SHA256c2ac6602b80a8faf3b2dacf3a9d1fb73f81a72d079944234cd293af88efc14ef
SHA5128b891d1c798643fa7b89e139af4ff97a3ee8b554a6f9b8a54a99ebe9d7638b1ee9465a4d760904b3a2e30aa38cb49b242e02bca7f5e8036c752296518b106ecd
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec