Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 13:24
Static task
static1
Behavioral task
behavioral1
Sample
c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe
Resource
win10v2004-20240508-en
General
-
Target
c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe
-
Size
4.1MB
-
MD5
52d69906fb9fedeccf7954d25b3d468c
-
SHA1
4d3b05ff2be98f0ccc15f3c222f0e0c08124e27d
-
SHA256
c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018
-
SHA512
9c9ffc709779fa123cd93bc78b5cc0c51f21759f2244df2a296908185182ec005fc25de582818eb70290701fd77df75187c8f849070e8a483c10c44803e1e55f
-
SSDEEP
98304:8QJMl/iXMhTmfDhNRe9xfYVEx7xkD10HZd3scl3XzHAtmo0FY:Xb8hTmbBIxHPR3rn3oKY
Malware Config
Signatures
-
Glupteba payload 19 IoCs
Processes:
resource yara_rule behavioral1/memory/624-2-0x0000000004C50000-0x000000000553B000-memory.dmp family_glupteba behavioral1/memory/624-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/624-4-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/624-57-0x0000000004C50000-0x000000000553B000-memory.dmp family_glupteba behavioral1/memory/624-58-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/624-55-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3368-84-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3368-137-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3720-165-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3720-222-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3720-232-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3720-233-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3720-235-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3720-238-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3720-240-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3720-241-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3720-243-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3720-246-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral1/memory/3720-248-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1944 netsh.exe -
Executes dropped EXE 4 IoCs
Processes:
csrss.exeinjector.exewindefender.exewindefender.exepid process 3720 csrss.exe 2400 injector.exe 1056 windefender.exe 4912 windefender.exe -
Processes:
resource yara_rule C:\Windows\windefender.exe upx behavioral1/memory/1056-227-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4912-229-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/1056-231-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4912-234-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4912-237-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe -
Drops file in Windows directory 4 IoCs
Processes:
c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.execsrss.exedescription ioc process File opened for modification C:\Windows\rss c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe File created C:\Windows\rss\csrss.exe c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 1380 sc.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2400 powershell.exe 3628 powershell.exe 624 powershell.exe 4936 powershell.exe 4920 powershell.exe 3324 powershell.exe 4720 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3664 schtasks.exe 3496 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" windefender.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exec2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exepowershell.exec2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exepid process 3324 powershell.exe 3324 powershell.exe 624 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe 624 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe 4720 powershell.exe 4720 powershell.exe 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe 2400 powershell.exe 2400 powershell.exe 3628 powershell.exe 3628 powershell.exe 624 powershell.exe 624 powershell.exe 4936 powershell.exe 4936 powershell.exe 4920 powershell.exe 4920 powershell.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 3720 csrss.exe 2400 injector.exe 3720 csrss.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 3720 csrss.exe 3720 csrss.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 3720 csrss.exe 3720 csrss.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe 2400 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
powershell.exec2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exedescription pid process Token: SeDebugPrivilege 3324 powershell.exe Token: SeDebugPrivilege 624 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Token: SeImpersonatePrivilege 624 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe Token: SeDebugPrivilege 4720 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeDebugPrivilege 624 powershell.exe Token: SeDebugPrivilege 4936 powershell.exe Token: SeDebugPrivilege 4920 powershell.exe Token: SeSystemEnvironmentPrivilege 3720 csrss.exe Token: SeSecurityPrivilege 1380 sc.exe Token: SeSecurityPrivilege 1380 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exec2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.execmd.execsrss.exewindefender.execmd.exedescription pid process target process PID 624 wrote to memory of 3324 624 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe powershell.exe PID 624 wrote to memory of 3324 624 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe powershell.exe PID 624 wrote to memory of 3324 624 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe powershell.exe PID 3368 wrote to memory of 4720 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe powershell.exe PID 3368 wrote to memory of 4720 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe powershell.exe PID 3368 wrote to memory of 4720 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe powershell.exe PID 3368 wrote to memory of 1484 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe cmd.exe PID 3368 wrote to memory of 1484 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe cmd.exe PID 1484 wrote to memory of 1944 1484 cmd.exe netsh.exe PID 1484 wrote to memory of 1944 1484 cmd.exe netsh.exe PID 3368 wrote to memory of 2400 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe powershell.exe PID 3368 wrote to memory of 2400 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe powershell.exe PID 3368 wrote to memory of 2400 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe powershell.exe PID 3368 wrote to memory of 3628 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe powershell.exe PID 3368 wrote to memory of 3628 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe powershell.exe PID 3368 wrote to memory of 3628 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe powershell.exe PID 3368 wrote to memory of 3720 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe csrss.exe PID 3368 wrote to memory of 3720 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe csrss.exe PID 3368 wrote to memory of 3720 3368 c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe csrss.exe PID 3720 wrote to memory of 624 3720 csrss.exe powershell.exe PID 3720 wrote to memory of 624 3720 csrss.exe powershell.exe PID 3720 wrote to memory of 624 3720 csrss.exe powershell.exe PID 3720 wrote to memory of 4936 3720 csrss.exe powershell.exe PID 3720 wrote to memory of 4936 3720 csrss.exe powershell.exe PID 3720 wrote to memory of 4936 3720 csrss.exe powershell.exe PID 3720 wrote to memory of 4920 3720 csrss.exe powershell.exe PID 3720 wrote to memory of 4920 3720 csrss.exe powershell.exe PID 3720 wrote to memory of 4920 3720 csrss.exe powershell.exe PID 3720 wrote to memory of 2400 3720 csrss.exe injector.exe PID 3720 wrote to memory of 2400 3720 csrss.exe injector.exe PID 1056 wrote to memory of 620 1056 windefender.exe cmd.exe PID 1056 wrote to memory of 620 1056 windefender.exe cmd.exe PID 1056 wrote to memory of 620 1056 windefender.exe cmd.exe PID 620 wrote to memory of 1380 620 cmd.exe sc.exe PID 620 wrote to memory of 1380 620 cmd.exe sc.exe PID 620 wrote to memory of 1380 620 cmd.exe sc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe"C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe"C:\Users\Admin\AppData\Local\Temp\c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3664 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2456
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2400 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3496 -
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4912
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5b4fc2884a194b008349d6f27f5e044fc
SHA18bd82b3f9e563e18b59820c576846d7c838e5de8
SHA256b219121b7fa480c9ec7263b67055778a94935af4c8b801b7e2a395d738724b74
SHA51288d8a071c34f83d04f6154330332ad606068375d53819a1f6e33eec3778e91da4070a8bd697bae8d77c13e0712c099f969263840593f6e86f7741b87b49ba6d9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5ee1c0bf47685335e860b8a74ed380185
SHA18fa1f905fcb3e9ad9930b4fd4fd3672dd0275609
SHA2568bf8ef5c83fca533435d9309dbe38840b240ece06b44df2b16f6ffe7ed7ad936
SHA512454c7d2b8c997d47b8906a791df21f2c2bdea2e2f8d87ba388484891ef5a95fab22b06e1e8ed671ea982e83ff56af6fdfa83bbc488c469b275d4eb0496598d9d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5bac6286fe139b6a894d58046f9b0461a
SHA1c8ce297a8279b6d4a4df14bdf392486b8f70f977
SHA256d5fcc15a82959460c944ae1fda297a9f96e0a7d4fa751b8df773ed4da779d0d0
SHA5121b0420723ce58580b2c633339600d4f4801b019039bc26ed1a6a709861d02ad0e86ecd61c4c80de5bd45a52db8a020a9ae161126117eb837573bf7adee0e6df4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD586df66b0d8992ed52074cbb15f7a35f1
SHA1c6e00e1be01f63b050a8d83fe7de4c43f262bbdf
SHA2561da5827c0d59830c3aa5b9d8ffed9c950d16037188f00b00c84c7b4284a2b780
SHA512d10507e687d15533ab31509a66082d93fc5e942a7f21fb17f077b9526ed1d61df92f14e2f0bce31e2322e120779a5a6c6a5a24f729216124e43e61dd9cc06996
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD574a5a5c2c1d4b21077f2bf1cc0d9cb22
SHA1c8b797911f479d3c97083ea0f5d4269334fcb742
SHA2561c4e5df1588012dd2e008809690b0b17de2a835cccda5979ef0bfd0b92265902
SHA5122cbfeb075698d631d87a4b1609bf0f280165d77538015a3c975686a6e8dc10c4bd03ae65f86e7a353a3189ada2c7cdbb9ea24bd92a2c65a1b236b97b8c07fd80
-
Filesize
4.1MB
MD552d69906fb9fedeccf7954d25b3d468c
SHA14d3b05ff2be98f0ccc15f3c222f0e0c08124e27d
SHA256c2d3038817a10ea9ad45b08676a58f7d29bdde72c748da5e34df131e53c8f018
SHA5129c9ffc709779fa123cd93bc78b5cc0c51f21759f2244df2a296908185182ec005fc25de582818eb70290701fd77df75187c8f849070e8a483c10c44803e1e55f
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec