Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-05-2024 15:30
Static task
static1
Behavioral task
behavioral1
Sample
144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe
Resource
win10v2004-20240426-en
General
-
Target
144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe
-
Size
4.1MB
-
MD5
da57e4cfdacfc7c09fee333949a64997
-
SHA1
14fe352185eb6fb12fb20a103c2a118230dab52d
-
SHA256
144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028
-
SHA512
aec750592d703509b7173b4660fe5d8f1c66a0f746d4c135f223cd4ad56ade3e52cece93b8d0532e6cb91945640c221bed935241bade05bd24cf49867cdd6a7b
-
SSDEEP
98304:vQx32Mq02zAeaet/0/YHlEVnWsL/fnVsJseCa8CK6QwXNx08FP:4x32Mq02zAeLCVnWszfVfeCa8CLXv/1
Malware Config
Signatures
-
Glupteba payload 19 IoCs
resource yara_rule behavioral2/memory/3572-2-0x0000000004D60000-0x000000000564B000-memory.dmp family_glupteba behavioral2/memory/3572-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3572-24-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral2/memory/3572-55-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3572-56-0x0000000004D60000-0x000000000564B000-memory.dmp family_glupteba behavioral2/memory/3572-54-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral2/memory/3900-57-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral2/memory/3900-125-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral2/memory/3900-130-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral2/memory/560-202-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral2/memory/560-205-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral2/memory/560-216-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral2/memory/560-224-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral2/memory/560-232-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral2/memory/560-240-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral2/memory/560-248-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral2/memory/560-256-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral2/memory/560-264-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba behavioral2/memory/560-272-0x0000000000400000-0x0000000002B0D000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2436 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 560 csrss.exe -
resource yara_rule behavioral2/memory/484-212-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4360-213-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/484-215-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4360-223-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4360-239-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\rss 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe File created C:\Windows\rss\csrss.exe 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1412 sc.exe -
pid Process 3128 powershell.exe 2292 powershell.exe 4616 powershell.exe 2616 powershell.exe 2560 powershell.exe 3688 powershell.exe 3352 powershell.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4816 3572 WerFault.exe 79 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1352 schtasks.exe 3256 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2560 powershell.exe 2560 powershell.exe 3572 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 3572 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 3688 powershell.exe 3688 powershell.exe 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 3352 powershell.exe 3352 powershell.exe 3128 powershell.exe 3128 powershell.exe 2292 powershell.exe 2292 powershell.exe 4616 powershell.exe 4616 powershell.exe 2616 powershell.exe 2616 powershell.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe 2160 injector.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 3572 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Token: SeImpersonatePrivilege 3572 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe Token: SeDebugPrivilege 3688 powershell.exe Token: SeDebugPrivilege 3352 powershell.exe Token: SeDebugPrivilege 3128 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 4616 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeSecurityPrivilege 1412 sc.exe Token: SeSecurityPrivilege 1412 sc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3572 wrote to memory of 2560 3572 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 82 PID 3572 wrote to memory of 2560 3572 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 82 PID 3572 wrote to memory of 2560 3572 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 82 PID 3900 wrote to memory of 3688 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 90 PID 3900 wrote to memory of 3688 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 90 PID 3900 wrote to memory of 3688 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 90 PID 3900 wrote to memory of 3616 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 92 PID 3900 wrote to memory of 3616 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 92 PID 3616 wrote to memory of 2436 3616 cmd.exe 94 PID 3616 wrote to memory of 2436 3616 cmd.exe 94 PID 3900 wrote to memory of 3352 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 95 PID 3900 wrote to memory of 3352 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 95 PID 3900 wrote to memory of 3352 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 95 PID 3900 wrote to memory of 3128 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 97 PID 3900 wrote to memory of 3128 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 97 PID 3900 wrote to memory of 3128 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 97 PID 3900 wrote to memory of 560 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 99 PID 3900 wrote to memory of 560 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 99 PID 3900 wrote to memory of 560 3900 144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe 99 PID 484 wrote to memory of 2392 484 windefender.exe 116 PID 484 wrote to memory of 2392 484 windefender.exe 116 PID 484 wrote to memory of 2392 484 windefender.exe 116 PID 2392 wrote to memory of 1412 2392 cmd.exe 117 PID 2392 wrote to memory of 1412 2392 cmd.exe 117 PID 2392 wrote to memory of 1412 2392 cmd.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe"C:\Users\Admin\AppData\Local\Temp\144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Users\Admin\AppData\Local\Temp\144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe"C:\Users\Admin\AppData\Local\Temp\144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2436
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1352
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:3036
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2160
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3256
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 6602⤵
- Program crash
PID:4816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3572 -ip 35721⤵PID:3752
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Modifies data under HKEY_USERS
PID:4360
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD51f08fb661ae6eafe167709ee6c653cb6
SHA14178369d5fef50c78dbf3faa3f109de2e4d6f1aa
SHA25667a4444433581ea70bfad4554dcf7316bcdccf2c1290c268c17c5ccca2f03e6b
SHA512ea8195fe2ebc84876b5a82e520db6bc0429a6a3bcf4dfc7f556c83dcc6211879f9d65dd770235aee68545c568060617c4d5fce1fdf49c7a221424d6abd0de5e2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD58211cfab93bd59b7dd4b51fff02c4d2d
SHA1b87bfaab232a6811ae2ac2bebae580587cd82674
SHA256d6cee5b469bd89a9e62b9fae1e676f495f7ed41dc14821fa7ec3cb50b70d4e45
SHA512e86583135f24f46b8211c23e75a71c53c60ea56ab2b979e234e2fb8ce1021f728155925877af39848024d1f17a82a59bab39210e486b54748735fcb522ff06fb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD54b1941884f2235953a95d60a71cc25e2
SHA1e634ce3cee4132c8554b6a20c06730bae1044e35
SHA25636036cdd5389cae295d3f73cde92b201a9bf2b3340b6061625e1bb073ba9aba4
SHA512b28970f84bc89eb919975dc3459be0bf31e2c654aa24ba5f7aa6985382c00e1232f37b5ec82f762e89125f4cc7c3dd299c36c9b18351e5220119a612c35c949d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5049c03a4418b8269d00bdc71541fbcc2
SHA17fab091cceb1d6007f65fb1d4378b4f5f4736f22
SHA256c9e96dd5ef91e17c9a820132bee473bed790a3bc5b5d742830b232c7a22a620c
SHA51233ec57975ec1b97069cab1156595275426437143a5451cffe9c8d5ffe0016a5f230bfc41088d4f2199e6ad55205af162e46ce0f6e9dd4194a556770b415ec6b1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD542ab85c52e5ad559584530da6f6d8453
SHA18ebc46ee47263604b45702a0e30cfe951bde0cf4
SHA25615e4c1e5c02e7bb9a5fc37867d5caf7aa293efece6dfa3b4339524a21b9b7624
SHA512d945c1ec05b2d0749a9529d437d04cbc50959555c07c48c651a0e3646127a23ea75567fba17fb3087ffe18aa66db0c6ada4aec390fdf436664a7dc65c5f42a69
-
Filesize
4.1MB
MD5da57e4cfdacfc7c09fee333949a64997
SHA114fe352185eb6fb12fb20a103c2a118230dab52d
SHA256144506f4b81d7f56225ac49ff447c49a56b48f943a3a880b0e83f96caae21028
SHA512aec750592d703509b7173b4660fe5d8f1c66a0f746d4c135f223cd4ad56ade3e52cece93b8d0532e6cb91945640c221bed935241bade05bd24cf49867cdd6a7b