Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-05-2024 11:35
Static task
static1
Behavioral task
behavioral1
Sample
3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe
Resource
win10v2004-20240426-en
General
-
Target
3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe
-
Size
4.1MB
-
MD5
101d98cc0ec6265841faf046352bc801
-
SHA1
d12c29e4cbee86f5e472482695f299419974c6bc
-
SHA256
3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c
-
SHA512
58e31a137c78c617c7b64ede12472cee9c127792e75f44ad8ddda11302fe503c01837afdc5bffef32498f3df63d3b1134aad4b0de17635003d2365ace73eab10
-
SSDEEP
98304:ek/C6baF9NNXYvR+SQPyohxfWe3/GY9pAEj66:en6bazjovoyoHfX3/GYHV
Malware Config
Signatures
-
Glupteba payload 18 IoCs
Processes:
resource yara_rule behavioral2/memory/2428-2-0x0000000004620000-0x0000000004F0B000-memory.dmp family_glupteba behavioral2/memory/2428-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/2428-54-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/2428-51-0x0000000000400000-0x0000000002364000-memory.dmp family_glupteba behavioral2/memory/2428-53-0x0000000004620000-0x0000000004F0B000-memory.dmp family_glupteba behavioral2/memory/3692-125-0x0000000000400000-0x0000000002364000-memory.dmp family_glupteba behavioral2/memory/2052-203-0x0000000000400000-0x0000000002364000-memory.dmp family_glupteba behavioral2/memory/2052-214-0x0000000000400000-0x0000000002364000-memory.dmp family_glupteba behavioral2/memory/2052-215-0x0000000000400000-0x0000000002364000-memory.dmp family_glupteba behavioral2/memory/2052-217-0x0000000000400000-0x0000000002364000-memory.dmp family_glupteba behavioral2/memory/2052-220-0x0000000000400000-0x0000000002364000-memory.dmp family_glupteba behavioral2/memory/2052-222-0x0000000000400000-0x0000000002364000-memory.dmp family_glupteba behavioral2/memory/2052-223-0x0000000000400000-0x0000000002364000-memory.dmp family_glupteba behavioral2/memory/2052-225-0x0000000000400000-0x0000000002364000-memory.dmp family_glupteba behavioral2/memory/2052-228-0x0000000000400000-0x0000000002364000-memory.dmp family_glupteba behavioral2/memory/2052-230-0x0000000000400000-0x0000000002364000-memory.dmp family_glupteba behavioral2/memory/2052-231-0x0000000000400000-0x0000000002364000-memory.dmp family_glupteba behavioral2/memory/2052-234-0x0000000000400000-0x0000000002364000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 2624 netsh.exe -
Executes dropped EXE 4 IoCs
Processes:
csrss.exeinjector.exewindefender.exewindefender.exepid Process 2052 csrss.exe 804 injector.exe 4504 windefender.exe 4212 windefender.exe -
Processes:
resource yara_rule behavioral2/files/0x000200000002aa15-207.dat upx behavioral2/memory/4504-208-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4212-211-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4504-213-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4212-216-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4212-219-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.execsrss.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe -
Drops file in Windows directory 4 IoCs
Processes:
csrss.exe3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exedescription ioc Process File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe File created C:\Windows\rss\csrss.exe 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 4936 sc.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 3312 powershell.exe 4012 powershell.exe 2620 powershell.exe 1748 powershell.exe 1532 powershell.exe 1500 powershell.exe 1264 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 4740 schtasks.exe 4092 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exe3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exepowershell.exe3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exepid Process 3312 powershell.exe 3312 powershell.exe 2428 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 2428 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 4012 powershell.exe 4012 powershell.exe 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 2620 powershell.exe 2620 powershell.exe 1748 powershell.exe 1748 powershell.exe 1532 powershell.exe 1532 powershell.exe 1500 powershell.exe 1500 powershell.exe 1264 powershell.exe 1264 powershell.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 2052 csrss.exe 2052 csrss.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 2052 csrss.exe 2052 csrss.exe 804 injector.exe 804 injector.exe 2052 csrss.exe 2052 csrss.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe 804 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
powershell.exe3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exedescription pid Process Token: SeDebugPrivilege 3312 powershell.exe Token: SeDebugPrivilege 2428 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Token: SeImpersonatePrivilege 2428 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe Token: SeDebugPrivilege 4012 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeSystemEnvironmentPrivilege 2052 csrss.exe Token: SeSecurityPrivilege 4936 sc.exe Token: SeSecurityPrivilege 4936 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.execmd.execsrss.exewindefender.execmd.exedescription pid Process procid_target PID 2428 wrote to memory of 3312 2428 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 79 PID 2428 wrote to memory of 3312 2428 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 79 PID 2428 wrote to memory of 3312 2428 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 79 PID 3692 wrote to memory of 4012 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 84 PID 3692 wrote to memory of 4012 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 84 PID 3692 wrote to memory of 4012 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 84 PID 3692 wrote to memory of 2844 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 86 PID 3692 wrote to memory of 2844 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 86 PID 2844 wrote to memory of 2624 2844 cmd.exe 88 PID 2844 wrote to memory of 2624 2844 cmd.exe 88 PID 3692 wrote to memory of 2620 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 89 PID 3692 wrote to memory of 2620 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 89 PID 3692 wrote to memory of 2620 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 89 PID 3692 wrote to memory of 1748 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 91 PID 3692 wrote to memory of 1748 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 91 PID 3692 wrote to memory of 1748 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 91 PID 3692 wrote to memory of 2052 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 93 PID 3692 wrote to memory of 2052 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 93 PID 3692 wrote to memory of 2052 3692 3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe 93 PID 2052 wrote to memory of 1532 2052 csrss.exe 94 PID 2052 wrote to memory of 1532 2052 csrss.exe 94 PID 2052 wrote to memory of 1532 2052 csrss.exe 94 PID 2052 wrote to memory of 1500 2052 csrss.exe 99 PID 2052 wrote to memory of 1500 2052 csrss.exe 99 PID 2052 wrote to memory of 1500 2052 csrss.exe 99 PID 2052 wrote to memory of 1264 2052 csrss.exe 102 PID 2052 wrote to memory of 1264 2052 csrss.exe 102 PID 2052 wrote to memory of 1264 2052 csrss.exe 102 PID 2052 wrote to memory of 804 2052 csrss.exe 104 PID 2052 wrote to memory of 804 2052 csrss.exe 104 PID 4504 wrote to memory of 2148 4504 windefender.exe 110 PID 4504 wrote to memory of 2148 4504 windefender.exe 110 PID 4504 wrote to memory of 2148 4504 windefender.exe 110 PID 2148 wrote to memory of 4936 2148 cmd.exe 111 PID 2148 wrote to memory of 4936 2148 cmd.exe 111 PID 2148 wrote to memory of 4936 2148 cmd.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe"C:\Users\Admin\AppData\Local\Temp\3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
-
C:\Users\Admin\AppData\Local\Temp\3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe"C:\Users\Admin\AppData\Local\Temp\3c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2624
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4740
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4252
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:804
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4092
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4212
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD59af1cac6fd19dcdce9edb774ecbddb75
SHA1832231fcf6f3da58c068f95d9d5d6d20d642a1ac
SHA256f84b0eefed239733880e2604737af160775feb315722df1cb6ae072abd0d1051
SHA5120b2d2f88f0b0ff45e58c2c932d417dabc57ee677a12279d58e88c49a7da64f106ea766bfb537232da7cf30130463ee0d7d985099dbe2ceb80c25624ac1d8a0ac
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD58a98fdbabbd04491382c8c33b2ec93bb
SHA1c20463d98912a0d7abd607eb6b751dfe21e00ee9
SHA256403bbadf0396e67e46c11b4cc3167f098b4e98ee1be95fe7f6c1125ccacc894e
SHA5120cb3a1d501860cecf7a8abeab7185d80d75753c8903557ccc11290f2569273346e9a7a78810ef060e5668e48fa0c856ee0991b47563d86595113192c428e4fdd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56f8a33ca583153fde14f4f89e6616f60
SHA124c8615168c6547e28dc51d63dd78b39f23540b9
SHA25650a487aa1de244bf488e665aa82a08744353819d7af858944712efe4d648e3cb
SHA512ad69ab4babe97553e72c62ad318c8cb0e7f3d701a8e96ba39d0f6533617375b055a72a4d615e9fda2e0ebac07dbf90ad716a618201e19942cef7bb71b817ce7f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5302b9013bec4b6105a315fb36f875399
SHA145f1c63b795b34285a4a4e5cccd05f41d4dcc05c
SHA2562cb575203a37ad8929a45cf314cf92673dfff9e13ef80a01e13ebfe8f68a3367
SHA5129e311c570b6405559d3c11a0d1e77786b3e8aecbabd9506759f13526d4aa715bed14ac3075cf2bf0af513f186597d1dd0fbb471a1e2b8f2f0dfaf8101853b439
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD585038853859bba0e6974c3325f3d39f6
SHA1137580ac389615f2c1ae32959a8e8718ab68bd70
SHA256f1f5b13767d6ee84c681ad1a5f43855023c7f350da1aefeb8b309e3607a49e3e
SHA512c11cbf21e7b0b6b6ac4a358731b651c019c0e80b65d3a4c6ca83478b0507925a30ecfac5fed63bba1232eb1052dfb01b0b70dffeeacb5a7d973094e588c87a03
-
Filesize
4.1MB
MD5101d98cc0ec6265841faf046352bc801
SHA1d12c29e4cbee86f5e472482695f299419974c6bc
SHA2563c3b300d6c2a97b2c54ed7e7304102cfd9aee91d31fea20503e04bb46b7b021c
SHA51258e31a137c78c617c7b64ede12472cee9c127792e75f44ad8ddda11302fe503c01837afdc5bffef32498f3df63d3b1134aad4b0de17635003d2365ace73eab10
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec