Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2024, 11:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4b058688f1dcc66932a8b15c5039dd1426521cd02a746850bb9ce9adf55e7a6.exe

  • Size

    4.1MB

  • MD5

    809d48296919decb9e35f37b81569f62

  • SHA1

    2f0f4c33547ec7f403cbbe7eb58a0fabc28b5ead

  • SHA256

    b4b058688f1dcc66932a8b15c5039dd1426521cd02a746850bb9ce9adf55e7a6

  • SHA512

    05157c49a30084d497d01820c53f2b252931ea2f5a30a24424274bf94d787e93868132be78b0295006c3a8a3aadd7141b43769dd2aab4f1866a730cb1405af9b

  • SSDEEP

    98304:1H+PiUxpnK5pcCD6RLXH4DRMjOnEmJ5mWZ44js55cU5wvI2r:1H+PiSfw6Rz4ejOEAZ44S5J5ww2r

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 20 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4b058688f1dcc66932a8b15c5039dd1426521cd02a746850bb9ce9adf55e7a6.exe
    "C:\Users\Admin\AppData\Local\Temp\b4b058688f1dcc66932a8b15c5039dd1426521cd02a746850bb9ce9adf55e7a6.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3604
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1732
    • C:\Users\Admin\AppData\Local\Temp\b4b058688f1dcc66932a8b15c5039dd1426521cd02a746850bb9ce9adf55e7a6.exe
      "C:\Users\Admin\AppData\Local\Temp\b4b058688f1dcc66932a8b15c5039dd1426521cd02a746850bb9ce9adf55e7a6.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4472
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3008
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:916
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:4424
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3644
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1472
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:816
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3412
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2476
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3140
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2448
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:264
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4920
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4684
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1088
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:5044
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:2396
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3936 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3436
      • C:\Windows\windefender.exe
        C:\Windows\windefender.exe
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:3644

      Network

      • flag-us
        DNS
        79.121.231.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        79.121.231.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        79.121.231.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        79.121.231.20.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        28.118.140.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        28.118.140.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        91.90.14.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        91.90.14.23.in-addr.arpa
        IN PTR
        Response
        91.90.14.23.in-addr.arpa
        IN PTR
        a23-14-90-91deploystaticakamaitechnologiescom
      • flag-us
        DNS
        71.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        71.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        76.234.34.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        76.234.34.23.in-addr.arpa
        IN PTR
        Response
        76.234.34.23.in-addr.arpa
        IN PTR
        a23-34-234-76deploystaticakamaitechnologiescom
      • flag-us
        DNS
        86.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        86.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        232.168.11.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        232.168.11.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        232.168.11.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        232.168.11.51.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        232.168.11.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        232.168.11.51.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        209.205.72.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.205.72.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        209.205.72.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.205.72.20.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        dedbdb5a-5913-46fa-a060-e2f2a849d65f.uuid.datadumpcloud.org
        csrss.exe
        Remote address:
        8.8.8.8:53
        Request
        dedbdb5a-5913-46fa-a060-e2f2a849d65f.uuid.datadumpcloud.org
        IN TXT
        Response
      • flag-us
        DNS
        dedbdb5a-5913-46fa-a060-e2f2a849d65f.uuid.datadumpcloud.org
        csrss.exe
        Remote address:
        8.8.8.8:53
        Request
        dedbdb5a-5913-46fa-a060-e2f2a849d65f.uuid.datadumpcloud.org
        IN TXT
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        241.150.49.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.150.49.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        stun2.l.google.com
        csrss.exe
        Remote address:
        8.8.8.8:53
        Request
        stun2.l.google.com
        IN A
        Response
        stun2.l.google.com
        IN A
        74.125.250.129
      • flag-us
        DNS
        cdn.discordapp.com
        csrss.exe
        Remote address:
        8.8.8.8:53
        Request
        cdn.discordapp.com
        IN A
        Response
        cdn.discordapp.com
        IN A
        162.159.129.233
        cdn.discordapp.com
        IN A
        162.159.134.233
        cdn.discordapp.com
        IN A
        162.159.135.233
        cdn.discordapp.com
        IN A
        162.159.133.233
        cdn.discordapp.com
        IN A
        162.159.130.233
      • flag-us
        DNS
        cdn.discordapp.com
        csrss.exe
        Remote address:
        8.8.8.8:53
        Request
        cdn.discordapp.com
        IN A
      • flag-us
        DNS
        server8.datadumpcloud.org
        csrss.exe
        Remote address:
        8.8.8.8:53
        Request
        server8.datadumpcloud.org
        IN A
        Response
        server8.datadumpcloud.org
        IN A
        185.82.216.104
      • flag-us
        DNS
        129.250.125.74.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        129.250.125.74.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        233.129.159.162.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        233.129.159.162.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        233.129.159.162.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        233.129.159.162.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        carsalessystem.com
        csrss.exe
        Remote address:
        8.8.8.8:53
        Request
        carsalessystem.com
        IN A
        Response
        carsalessystem.com
        IN A
        104.21.94.82
        carsalessystem.com
        IN A
        172.67.221.71
      • flag-us
        DNS
        104.216.82.185.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        104.216.82.185.in-addr.arpa
        IN PTR
        Response
        104.216.82.185.in-addr.arpa
        IN PTR
        dedic-mariadebommarez-1201693hosted-by-itldccom
      • flag-us
        DNS
        82.94.21.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        82.94.21.104.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        29.243.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        29.243.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        26.73.42.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        26.73.42.20.in-addr.arpa
        IN PTR
        Response
      • 13.107.253.64:443
        46 B
         40 B
         1
        1
      • 172.217.169.74:443
        46 B
         40 B
         1
        1
      • 185.82.216.104:443
        server8.datadumpcloud.org
        tls
        csrss.exe
        2.1kB
         6.5kB
         19
        17
      • 162.159.129.233:443
        cdn.discordapp.com
        tls
        csrss.exe
        1.4kB
         5.2kB
         17
        15
      • 104.21.94.82:443
        carsalessystem.com
        tls
        csrss.exe
        91.4kB
         2.2MB
         1634
        1625
      • 185.82.216.104:443
        server8.datadumpcloud.org
        tls
        csrss.exe
        2.0kB
         6.1kB
         13
        15
      • 8.8.8.8:53
        79.121.231.20.in-addr.arpa
        dns
        144 B
         158 B
         2
        1

        DNS Request

        79.121.231.20.in-addr.arpa

        DNS Request

        79.121.231.20.in-addr.arpa

      • 8.8.8.8:53
        28.118.140.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        28.118.140.52.in-addr.arpa

      • 8.8.8.8:53
        91.90.14.23.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        91.90.14.23.in-addr.arpa

      • 8.8.8.8:53
        71.159.190.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        71.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        76.234.34.23.in-addr.arpa
        dns
        71 B
         135 B
         1
        1

        DNS Request

        76.234.34.23.in-addr.arpa

      • 8.8.8.8:53
        86.23.85.13.in-addr.arpa
        dns
        70 B
         144 B
         1
        1

        DNS Request

        86.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        144 B
         158 B
         2
        1

        DNS Request

        171.39.242.20.in-addr.arpa

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        232.168.11.51.in-addr.arpa
        dns
        216 B
         158 B
         3
        1

        DNS Request

        232.168.11.51.in-addr.arpa

        DNS Request

        232.168.11.51.in-addr.arpa

        DNS Request

        232.168.11.51.in-addr.arpa

      • 8.8.8.8:53
        209.205.72.20.in-addr.arpa
        dns
        144 B
         158 B
         2
        1

        DNS Request

        209.205.72.20.in-addr.arpa

        DNS Request

        209.205.72.20.in-addr.arpa

      • 8.8.8.8:53
        dedbdb5a-5913-46fa-a060-e2f2a849d65f.uuid.datadumpcloud.org
        dns
        csrss.exe
        210 B
         166 B
         2
        1

        DNS Request

        dedbdb5a-5913-46fa-a060-e2f2a849d65f.uuid.datadumpcloud.org

        DNS Request

        dedbdb5a-5913-46fa-a060-e2f2a849d65f.uuid.datadumpcloud.org

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        222 B
         128 B
         3
        1

        DNS Request

        172.210.232.199.in-addr.arpa

        DNS Request

        172.210.232.199.in-addr.arpa

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        241.150.49.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        241.150.49.20.in-addr.arpa

      • 8.8.8.8:53
        stun2.l.google.com
        dns
        csrss.exe
        64 B
         80 B
         1
        1

        DNS Request

        stun2.l.google.com

        DNS Response

        74.125.250.129

      • 8.8.8.8:53
        cdn.discordapp.com
        dns
        csrss.exe
        128 B
         144 B
         2
        1

        DNS Request

        cdn.discordapp.com

        DNS Request

        cdn.discordapp.com

        DNS Response

        162.159.129.233
        162.159.134.233
        162.159.135.233
        162.159.133.233
        162.159.130.233

      • 8.8.8.8:53
        server8.datadumpcloud.org
        dns
        csrss.exe
        71 B
         87 B
         1
        1

        DNS Request

        server8.datadumpcloud.org

        DNS Response

        185.82.216.104

      • 74.125.250.129:19302
        stun2.l.google.com
        csrss.exe
        48 B
         60 B
         1
        1
      • 8.8.8.8:53
        129.250.125.74.in-addr.arpa
        dns
        73 B
         133 B
         1
        1

        DNS Request

        129.250.125.74.in-addr.arpa

      • 8.8.8.8:53
        233.129.159.162.in-addr.arpa
        dns
        148 B
         136 B
         2
        1

        DNS Request

        233.129.159.162.in-addr.arpa

        DNS Request

        233.129.159.162.in-addr.arpa

      • 8.8.8.8:53
        carsalessystem.com
        dns
        csrss.exe
        64 B
         96 B
         1
        1

        DNS Request

        carsalessystem.com

        DNS Response

        104.21.94.82
        172.67.221.71

      • 8.8.8.8:53
        104.216.82.185.in-addr.arpa
        dns
        73 B
         136 B
         1
        1

        DNS Request

        104.216.82.185.in-addr.arpa

      • 8.8.8.8:53
        82.94.21.104.in-addr.arpa
        dns
        71 B
         133 B
         1
        1

        DNS Request

        82.94.21.104.in-addr.arpa

      • 8.8.8.8:53
        29.243.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        29.243.111.52.in-addr.arpa

      • 8.8.8.8:53
        26.73.42.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        26.73.42.20.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ums2skwl.rh4.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        Filesize

        281KB

        MD5

        d98e33b66343e7c96158444127a117f6

        SHA1

        bb716c5509a2bf345c6c1152f6e3e1452d39d50d

        SHA256

        5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

        SHA512

        705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        3d086a433708053f9bf9523e1d87a4e8

        SHA1

        b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

        SHA256

        6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

        SHA512

        931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        0104ee414603640a3b8ca8ab2e3f991c

        SHA1

        bdfbedf327c80310df6a5bf0db2a77b822b93e85

        SHA256

        4c0839e9e32f5ef0b854ea4b732209e5af8edda1391ecc8a48ea495da942f4a2

        SHA512

        815a270b774f475cfd5d0b8918cc5c25fcfbdbe593ca97ac3dfe1a01650ed731493cf7b5217cced760fed879db06b5bdb6e95aff63d3ebcfcbc475557dfaf645

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        f5148045496517254b648d065ff1b4ba

        SHA1

        0481c6cb8d390b54eac8992560993597929c37dc

        SHA256

        760b485f3044ff470500743c08a75dc0d9285601285f668bbf23dee0dccb1f13

        SHA512

        5dc9d1d2a78468f084013e3578b1a40977930feaf24c0b8f4cc59aa71dfb9f9b749f2bebd3256a27d69f28245a5197826f474e4ded6f2e17fb00dc1ed454aee3

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        9ca8dba332bade25762b0bd49ff74e9c

        SHA1

        c354418ca7d23f4250899da381989dd5ffef06d2

        SHA256

        da5b2a102b807429f3ccc2b82b05a4e35362d7e540c2df13407980e0314d07c5

        SHA512

        10d07b72bd819ce938236e918bb67c4d0598cc7a54dd6dd65a16cd364835a92537d35972499a32cf10a5e18f19e7be30cb053c1a197b5916de7c913814fa07ec

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        a71a6c601040b592cb46ce52991a2992

        SHA1

        23ff4992810158117d9537a194c02080c0736bfe

        SHA256

        f9446e9cd8e882c325035a4af50bc2ba27afe11abff9905d44f52fc4e9dbba7b

        SHA512

        e6980029e93d4b9291135b46ba883eb905ee7a0d3d07be68bfa15b999b2e1aa67d04131c53caa7cbbf9d299e211427fad20415e548e81fc7640fdf68a3e1c18b

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        cc59610de5efa258c6bcf454de839a15

        SHA1

        9ced443ceea612ed584a1af3873c5c6bed5b08e3

        SHA256

        00384c58eb07520c1e698f6115d7963cb5415fbd1bd630ea1397ef65d19b2783

        SHA512

        5bad8e579d940b25db77cb22a7fbe272fd7cf324680a719500806cdf74c8d16cf04c4cf30edf4312c9a01db5a0c407fb7eecddbe52eac674c231f6ed54a5fb71

        Download Submit

      • C:\Windows\rss\csrss.exe
        Filesize

        4.1MB

        MD5

        809d48296919decb9e35f37b81569f62

        SHA1

        2f0f4c33547ec7f403cbbe7eb58a0fabc28b5ead

        SHA256

        b4b058688f1dcc66932a8b15c5039dd1426521cd02a746850bb9ce9adf55e7a6

        SHA512

        05157c49a30084d497d01820c53f2b252931ea2f5a30a24424274bf94d787e93868132be78b0295006c3a8a3aadd7141b43769dd2aab4f1866a730cb1405af9b

        Download Submit

      • C:\Windows\windefender.exe
        Filesize

        2.0MB

        MD5

        8e67f58837092385dcf01e8a2b4f5783

        SHA1

        012c49cfd8c5d06795a6f67ea2baf2a082cf8625

        SHA256

        166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

        SHA512

        40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

        Download Submit

      • memory/264-200-0x00000000058E0000-0x0000000005C34000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/264-211-0x0000000071320000-0x0000000071674000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/264-210-0x0000000070B70000-0x0000000070BBC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/816-247-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/816-245-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/816-209-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/816-241-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/816-239-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/816-181-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/816-227-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/816-242-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/816-237-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/1088-236-0x0000000000400000-0x00000000008DF000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/1088-231-0x0000000000400000-0x00000000008DF000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/1472-125-0x0000000070E70000-0x00000000711C4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1472-124-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1732-23-0x00000000068D0000-0x00000000068EE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1732-31-0x0000000007C80000-0x0000000007C9A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1732-48-0x0000000007EA0000-0x0000000007F43000-memory.dmp

        Filesize

        652KB

        Download

      • memory/1732-46-0x0000000007E40000-0x0000000007E5E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1732-33-0x0000000007E60000-0x0000000007E92000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1732-49-0x0000000007F90000-0x0000000007F9A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1732-50-0x0000000008050000-0x00000000080E6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/1732-51-0x0000000007FB0000-0x0000000007FC1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1732-52-0x0000000007FF0000-0x0000000007FFE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1732-53-0x0000000008000000-0x0000000008014000-memory.dmp

        Filesize

        80KB

        Download

      • memory/1732-54-0x00000000080F0000-0x000000000810A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1732-55-0x0000000008030000-0x0000000008038000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1732-58-0x0000000074D50000-0x0000000075500000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1732-47-0x0000000074D50000-0x0000000075500000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1732-34-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1732-36-0x0000000070FA0000-0x00000000712F4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1732-30-0x00000000082D0000-0x000000000894A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1732-29-0x0000000007B70000-0x0000000007BE6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1732-28-0x0000000074D50000-0x0000000075500000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1732-25-0x0000000006DA0000-0x0000000006DE4000-memory.dmp

        Filesize

        272KB

        Download

      • memory/1732-24-0x0000000006900000-0x000000000694C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1732-18-0x0000000006280000-0x00000000065D4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1732-12-0x0000000006050000-0x00000000060B6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1732-11-0x0000000005990000-0x00000000059F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1732-10-0x0000000005770000-0x0000000005792000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1732-8-0x0000000005A20000-0x0000000006048000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1732-7-0x0000000074D50000-0x0000000075500000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1732-6-0x0000000074D50000-0x0000000075500000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1732-5-0x0000000002F50000-0x0000000002F86000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1732-4-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2448-184-0x0000000070CF0000-0x0000000071044000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2448-196-0x0000000006440000-0x0000000006454000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2448-183-0x0000000070B70000-0x0000000070BBC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2448-179-0x00000000060C0000-0x0000000006414000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2448-182-0x0000000006680000-0x00000000066CC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2448-194-0x0000000007870000-0x0000000007913000-memory.dmp

        Filesize

        652KB

        Download

      • memory/2448-195-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3008-73-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3008-86-0x0000000007E70000-0x0000000007E84000-memory.dmp

        Filesize

        80KB

        Download

      • memory/3008-85-0x0000000007E00000-0x0000000007E11000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3008-84-0x0000000007AD0000-0x0000000007B73000-memory.dmp

        Filesize

        652KB

        Download

      • memory/3008-74-0x0000000070E70000-0x00000000711C4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3008-72-0x0000000006900000-0x000000000694C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3008-71-0x0000000006410000-0x0000000006764000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3412-167-0x0000000008000000-0x0000000008011000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3412-156-0x0000000071410000-0x0000000071764000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3412-143-0x00000000063B0000-0x0000000006704000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3412-154-0x0000000006DD0000-0x0000000006E1C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3412-168-0x0000000006850000-0x0000000006864000-memory.dmp

        Filesize

        80KB

        Download

      • memory/3412-155-0x0000000070C50000-0x0000000070C9C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3412-166-0x0000000007CB0000-0x0000000007D53000-memory.dmp

        Filesize

        652KB

        Download

      • memory/3604-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3604-32-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/3604-2-0x0000000004710000-0x0000000004FFB000-memory.dmp

        Filesize

        8.9MB

        Download

      • memory/3604-9-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/3604-1-0x0000000004300000-0x0000000004701000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3604-26-0x0000000004300000-0x0000000004701000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3604-27-0x0000000004710000-0x0000000004FFB000-memory.dmp

        Filesize

        8.9MB

        Download

      • memory/3604-59-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/3604-61-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3604-35-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3644-103-0x00000000714B0000-0x0000000071804000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3644-234-0x0000000000400000-0x00000000008DF000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/3644-238-0x0000000000400000-0x00000000008DF000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/3644-99-0x00000000058B0000-0x0000000005C04000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3644-243-0x0000000000400000-0x00000000008DF000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/3644-102-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4472-140-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/4472-135-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/4472-101-0x0000000000400000-0x0000000002364000-memory.dmp

        Filesize

        31.4MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.