Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 13:23
Static task
static1
Behavioral task
behavioral1
Sample
35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe
Resource
win10v2004-20240426-en
General
-
Target
35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe
-
Size
4.1MB
-
MD5
0f07ae77a24f6f3eaec531eff1e38ec0
-
SHA1
68f06135f177c8f8c5d00b93809c64463fc1ebea
-
SHA256
35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8
-
SHA512
af8b1577c21b3e3af66390d06ca0c84d64e0c1e775de3e4f39cc445f7f570a5ad68f99a5d48277a41afba6c449e364b09905dfc4e491d92c008677f65c87af4b
-
SSDEEP
98304:EQJMl/iXMhTmfDhNRe9xfYVEx7xkD10HZd3scl3XzHAtmo0Fz:/b8hTmbBIxHPR3rn3oKz
Malware Config
Signatures
-
Glupteba payload 18 IoCs
Processes:
resource yara_rule behavioral1/memory/3872-2-0x0000000004CE0000-0x00000000055CB000-memory.dmp family_glupteba behavioral1/memory/3872-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3872-28-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3872-58-0x0000000004CE0000-0x00000000055CB000-memory.dmp family_glupteba behavioral1/memory/3872-57-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3872-55-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/2604-138-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3572-215-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3572-222-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3572-232-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3572-234-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3572-236-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3572-238-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3572-240-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3572-242-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3572-244-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3572-246-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3572-248-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4840 netsh.exe -
Executes dropped EXE 4 IoCs
Processes:
csrss.exeinjector.exewindefender.exewindefender.exepid process 3572 csrss.exe 452 injector.exe 564 windefender.exe 2352 windefender.exe -
Processes:
resource yara_rule C:\Windows\windefender.exe upx behavioral1/memory/564-227-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2352-230-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/564-231-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2352-233-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2352-237-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe -
Drops file in Windows directory 4 IoCs
Processes:
csrss.exe35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exedescription ioc process File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe File created C:\Windows\rss\csrss.exe 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe File created C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 740 sc.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4756 powershell.exe 4432 powershell.exe 2416 powershell.exe 1260 powershell.exe 2188 powershell.exe 3320 powershell.exe 2784 powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1148 2604 WerFault.exe 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5012 schtasks.exe 5084 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
windefender.exe35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" windefender.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exe35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exepowershell.exe35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exepid process 2416 powershell.exe 2416 powershell.exe 3872 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe 3872 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe 1260 powershell.exe 1260 powershell.exe 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe 2188 powershell.exe 2188 powershell.exe 3320 powershell.exe 3320 powershell.exe 2784 powershell.exe 2784 powershell.exe 4756 powershell.exe 4756 powershell.exe 4432 powershell.exe 4432 powershell.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 3572 csrss.exe 3572 csrss.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 3572 csrss.exe 3572 csrss.exe 452 injector.exe 452 injector.exe 3572 csrss.exe 3572 csrss.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe 452 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
powershell.exe35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exedescription pid process Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 3872 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Token: SeImpersonatePrivilege 3872 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe Token: SeDebugPrivilege 1260 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 3320 powershell.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 4756 powershell.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeSystemEnvironmentPrivilege 3572 csrss.exe Token: SeSecurityPrivilege 740 sc.exe Token: SeSecurityPrivilege 740 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.execmd.execsrss.exewindefender.execmd.exedescription pid process target process PID 3872 wrote to memory of 2416 3872 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe powershell.exe PID 3872 wrote to memory of 2416 3872 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe powershell.exe PID 3872 wrote to memory of 2416 3872 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe powershell.exe PID 2604 wrote to memory of 1260 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe powershell.exe PID 2604 wrote to memory of 1260 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe powershell.exe PID 2604 wrote to memory of 1260 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe powershell.exe PID 2604 wrote to memory of 4236 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe cmd.exe PID 2604 wrote to memory of 4236 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe cmd.exe PID 4236 wrote to memory of 4840 4236 cmd.exe netsh.exe PID 4236 wrote to memory of 4840 4236 cmd.exe netsh.exe PID 2604 wrote to memory of 2188 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe powershell.exe PID 2604 wrote to memory of 2188 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe powershell.exe PID 2604 wrote to memory of 2188 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe powershell.exe PID 2604 wrote to memory of 3320 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe powershell.exe PID 2604 wrote to memory of 3320 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe powershell.exe PID 2604 wrote to memory of 3320 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe powershell.exe PID 2604 wrote to memory of 3572 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe csrss.exe PID 2604 wrote to memory of 3572 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe csrss.exe PID 2604 wrote to memory of 3572 2604 35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe csrss.exe PID 3572 wrote to memory of 2784 3572 csrss.exe powershell.exe PID 3572 wrote to memory of 2784 3572 csrss.exe powershell.exe PID 3572 wrote to memory of 2784 3572 csrss.exe powershell.exe PID 3572 wrote to memory of 4756 3572 csrss.exe powershell.exe PID 3572 wrote to memory of 4756 3572 csrss.exe powershell.exe PID 3572 wrote to memory of 4756 3572 csrss.exe powershell.exe PID 3572 wrote to memory of 4432 3572 csrss.exe powershell.exe PID 3572 wrote to memory of 4432 3572 csrss.exe powershell.exe PID 3572 wrote to memory of 4432 3572 csrss.exe powershell.exe PID 3572 wrote to memory of 452 3572 csrss.exe injector.exe PID 3572 wrote to memory of 452 3572 csrss.exe injector.exe PID 564 wrote to memory of 2820 564 windefender.exe cmd.exe PID 564 wrote to memory of 2820 564 windefender.exe cmd.exe PID 564 wrote to memory of 2820 564 windefender.exe cmd.exe PID 2820 wrote to memory of 740 2820 cmd.exe sc.exe PID 2820 wrote to memory of 740 2820 cmd.exe sc.exe PID 2820 wrote to memory of 740 2820 cmd.exe sc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe"C:\Users\Admin\AppData\Local\Temp\35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe"C:\Users\Admin\AppData\Local\Temp\35ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4840 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:5012 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:5040
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:452 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:5084 -
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 8483⤵
- Program crash
PID:1148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2604 -ip 26041⤵PID:1044
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2352
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57eb85f2309a5a39fab430f88f5ac75c1
SHA1de3842f03c0f7f9949c74edf9fa46320ed76d766
SHA256bb9125002fceb10d88ca09276736b28edce6c45b66cb43dfb047595c33fcecf5
SHA512c3feeda6bcce20f987230a245788ce8e412648d3010fb130776e97c524644e738b7a50f08bb44d62dc6cf03547c51e3de22fd9e1fa13ffe18d28cff4499bc40e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD501fa6ce8711d682ad1963461f13713d7
SHA1b9502e53622f8be2cc0bfbfa58a4f159478c74f7
SHA2567137ae4da7d00e1a9bfcf063d6eacc5ba36f7eccef6c2f831456dbc0bc8d0f91
SHA51293dee6e13791ca5e96575686df38175b76a9844f1d38176f32fb6e3a96c4336c4fa2e392a636dee53bd3f60c8ac6e506cf4bfb2d7289a75ac952ac4ddf645eb3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5e3e3cf114e90b07437498c0b5a263ceb
SHA126e72bf4b218017579cd4abbd522c79f79bdf070
SHA25605d2388d7f47e077c9b3674b0ca0d9cb3785c13ebf936cf07ce7608b0b2e2d00
SHA5126e3b9dd75224a127e84f163bacf3c9f87f6b7ba69ec1a8e01ff364c792311a66df0cac8af4d15b0058a3408c0c4d38c1ad9887afd44c5804ab09dcd18fd7215f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a7c4bf5549e1b26ac2dbd83e50a32ced
SHA1819617fb7189187290364daf968e1d37e7ce440e
SHA256a848cc754552f791849a6f507b3fb7dadd2b0c96324541cf427598a83610bf56
SHA51289bff1eaccaf23daaaa09945d9c57c745831a803e55d6224d1d7f176ebc2ac8fe86b70ef2d601386de302714c9ae189608637ecd0ea821d156e69617e690f3ff
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5eb66adfeb701ed4ed2adfc39ebe334fc
SHA13434f919a84b547b2c1b2115aab86fe9d66d795c
SHA256c584626e5fe369d24d6bf65c6f3def826f897c52df7009d9ab67233fccb609d6
SHA512f56df2fec2ddc0b509dbd1b316b9a3ffc87935e932eb4901af45834ea180d4ea665fe37699da753094a9ac7e86e9fa9ccda282da7e9438b98588ba5a041a07f8
-
Filesize
4.1MB
MD50f07ae77a24f6f3eaec531eff1e38ec0
SHA168f06135f177c8f8c5d00b93809c64463fc1ebea
SHA25635ac138eb73dd1225758649b799cc73aaf7e2678c64f36fae8a9b1a7879b4ff8
SHA512af8b1577c21b3e3af66390d06ca0c84d64e0c1e775de3e4f39cc445f7f570a5ad68f99a5d48277a41afba6c449e364b09905dfc4e491d92c008677f65c87af4b
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec