Analysis
-
max time kernel
8s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 21:46
Static task
static1
Behavioral task
behavioral1
Sample
b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe
Resource
win10v2004-20240426-en
General
-
Target
b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe
-
Size
4.1MB
-
MD5
161b02801a39c90c3f73f72e3f11d8f2
-
SHA1
c4a28ff1aedf0f95707ac8fa54ae90e8bba0838e
-
SHA256
b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58
-
SHA512
6d35184d5343ef4302bbf78e6d716ccf6d0b131dd0f86fe2d5a8bf266e7f019e3bce1970057fd3b2641328ccf618a8ea369c75a116eccc16a476dfe5879167c5
-
SSDEEP
98304:kX33DbWGkLHuFK+TwQmBC6reQ4TTNXYvI8KgvjrB0rN:kXPWAwQyCdJYw8KggN
Malware Config
Signatures
-
Glupteba payload 18 IoCs
Processes:
resource yara_rule behavioral1/memory/952-2-0x00000000049A0000-0x000000000528B000-memory.dmp family_glupteba behavioral1/memory/952-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/952-96-0x00000000049A0000-0x000000000528B000-memory.dmp family_glupteba behavioral1/memory/952-94-0x0000000000400000-0x0000000002733000-memory.dmp family_glupteba behavioral1/memory/952-160-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/4108-159-0x0000000000400000-0x0000000002733000-memory.dmp family_glupteba behavioral1/memory/2592-216-0x0000000000400000-0x0000000002733000-memory.dmp family_glupteba behavioral1/memory/2592-227-0x0000000000400000-0x0000000002733000-memory.dmp family_glupteba behavioral1/memory/2592-231-0x0000000000400000-0x0000000002733000-memory.dmp family_glupteba behavioral1/memory/2592-235-0x0000000000400000-0x0000000002733000-memory.dmp family_glupteba behavioral1/memory/2592-239-0x0000000000400000-0x0000000002733000-memory.dmp family_glupteba behavioral1/memory/2592-243-0x0000000000400000-0x0000000002733000-memory.dmp family_glupteba behavioral1/memory/2592-247-0x0000000000400000-0x0000000002733000-memory.dmp family_glupteba behavioral1/memory/2592-251-0x0000000000400000-0x0000000002733000-memory.dmp family_glupteba behavioral1/memory/2592-255-0x0000000000400000-0x0000000002733000-memory.dmp family_glupteba behavioral1/memory/2592-259-0x0000000000400000-0x0000000002733000-memory.dmp family_glupteba behavioral1/memory/2592-263-0x0000000000400000-0x0000000002733000-memory.dmp family_glupteba behavioral1/memory/2592-267-0x0000000000400000-0x0000000002733000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 4484 netsh.exe -
Processes:
resource yara_rule behavioral1/files/0x00070000000234a7-220.dat upx behavioral1/memory/404-222-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/220-225-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/404-224-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/220-230-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/220-238-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 2348 sc.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 4040 powershell.exe 4780 powershell.exe 4908 powershell.exe 2404 powershell.exe 4448 powershell.exe 2688 powershell.exe 2976 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 4860 schtasks.exe 4092 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exepowershell.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeb4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exepowershell.exepid Process 2688 powershell.exe 2688 powershell.exe 952 b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe 952 b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe 2976 powershell.exe 2976 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeb4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 952 b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Token: SeImpersonatePrivilege 952 b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe Token: SeDebugPrivilege 2976 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exeb4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exedescription pid Process procid_target PID 952 wrote to memory of 2688 952 b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe 84 PID 952 wrote to memory of 2688 952 b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe 84 PID 952 wrote to memory of 2688 952 b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe 84 PID 4108 wrote to memory of 2976 4108 b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe 95 PID 4108 wrote to memory of 2976 4108 b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe 95 PID 4108 wrote to memory of 2976 4108 b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe"C:\Users\Admin\AppData\Local\Temp\b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Users\Admin\AppData\Local\Temp\b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe"C:\Users\Admin\AppData\Local\Temp\b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:208
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4484
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:4040
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:4780
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:2592
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:4908
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4092
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:1656
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:2404
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:4448
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:2104
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4860
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:404
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:388
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:2348
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5393d72e966be3e080297b75829c0edc8
SHA106ae92a23a7abbf0ba32315c51a4e2d0ae033d4e
SHA25668659f37445e0878fd8b46dd88fd5c78140db3ac90517c81f69a0ac0c4431ea5
SHA512e21cb94c0964abc8b4942db1cf73156ab46638c31166886022ba55b0a28d5e12eb9cd5a8031c4a345e4a65367905a89108c5c0e211e95c3f52028d8230c5d1ed
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5adbc7127a2bd0d0c9ebde2dc08957d84
SHA125f0a19f24fc9f8974e9c98d6004f6bb9ab7b580
SHA2562c3ca24035bbbb21243ba8187f3018924e824ea9b56c2b59a5b213b883ad2615
SHA512c79636012b6386d187dd8b5f5cd53e46843dd70019629420b1d53483b1ce712bbb69d795208f0e53e0360f6364b18ddfb2111eebf38f1785c26725ff789a5531
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD54c7b97c4b28677c44dca2a4d6978c321
SHA115ca03b615f88dc794052141f950bfbca7287a17
SHA256ad4cac0f66e5bc1eab8356757b08038449f58058312906aed2a43ec34182b639
SHA512f1982f21524b0fc189d978a3c9666a6748da6d19d9df68bb3dceb7d8f1a9506965d14b488cad42613df3299c6c73979d6ef18169e202212f49a9f0e1c5c20fb8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD554f294ac65f11c9d4f8ec6b640a1aac4
SHA125cc62943752da321568a25bce64e3b1485504c4
SHA2568ef443115a896a55bbc29bbfe7eda245706192c136b4be12b2ef1864101e1340
SHA51211e21704db5aed8aafc6ef5bd48938262d48af656f4048964bd8c3014b9050d6dc15c0a33c0612ec03d02385965a9d97f7f27d7418173d1db185b67178f48837
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5cbdffcfc314f06763144ffd78475aef0
SHA17c375cf19fe5ce8f6b7f68df97a55240ea6cfdfd
SHA25624dd0a0af3c37b3fddd93cd9e7668a858798cca1861091d7bd4ea3ca32934e2a
SHA5121e2941548ae307d4e497d30ac7357e3bccaed0285c140c94c337fdbaf74ebef84851ed237c330ae61a0249d9ca0368c9f386bdaddfc9e08921963c1864ef9689
-
Filesize
4.1MB
MD5161b02801a39c90c3f73f72e3f11d8f2
SHA1c4a28ff1aedf0f95707ac8fa54ae90e8bba0838e
SHA256b4ade72173ddae15fcabe3a5720112babee2841ecaa90813bde64fa56b3c5f58
SHA5126d35184d5343ef4302bbf78e6d716ccf6d0b131dd0f86fe2d5a8bf266e7f019e3bce1970057fd3b2641328ccf618a8ea369c75a116eccc16a476dfe5879167c5
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec