Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-05-2024 13:59
Static task
static1
Behavioral task
behavioral1
Sample
005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe
Resource
win10v2004-20240508-en
General
-
Target
005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe
-
Size
4.1MB
-
MD5
d25b389db8f808c07fcbbbd50528a119
-
SHA1
d0d769fb925948461cd76eaa92d830a3d180bcd4
-
SHA256
005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426
-
SHA512
e6961d9f2e2d23bda0c2641a8f4b2adfd188e1150d61463a55d07cfa880808b279b815c6dabd1d71f90d8e4a70197e7cbad65aaf01ce4729d3b41f65b4af89d9
-
SSDEEP
98304:8NaXJU8AJvaro5mDbVFqT6QhicqJuM7BOvJODhfBAiYJAl59Wr:8qU8A9EamDpImBOY9f2Nr
Malware Config
Signatures
-
Glupteba payload 18 IoCs
Processes:
resource yara_rule behavioral2/memory/4532-2-0x0000000004A30000-0x000000000531B000-memory.dmp family_glupteba behavioral2/memory/4532-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4532-77-0x0000000000400000-0x000000000273B000-memory.dmp family_glupteba behavioral2/memory/4532-119-0x0000000004A30000-0x000000000531B000-memory.dmp family_glupteba behavioral2/memory/3152-125-0x0000000000400000-0x000000000273B000-memory.dmp family_glupteba behavioral2/memory/4532-147-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/2116-201-0x0000000000400000-0x000000000273B000-memory.dmp family_glupteba behavioral2/memory/2116-212-0x0000000000400000-0x000000000273B000-memory.dmp family_glupteba behavioral2/memory/2116-215-0x0000000000400000-0x000000000273B000-memory.dmp family_glupteba behavioral2/memory/2116-218-0x0000000000400000-0x000000000273B000-memory.dmp family_glupteba behavioral2/memory/2116-221-0x0000000000400000-0x000000000273B000-memory.dmp family_glupteba behavioral2/memory/2116-224-0x0000000000400000-0x000000000273B000-memory.dmp family_glupteba behavioral2/memory/2116-227-0x0000000000400000-0x000000000273B000-memory.dmp family_glupteba behavioral2/memory/2116-230-0x0000000000400000-0x000000000273B000-memory.dmp family_glupteba behavioral2/memory/2116-233-0x0000000000400000-0x000000000273B000-memory.dmp family_glupteba behavioral2/memory/2116-236-0x0000000000400000-0x000000000273B000-memory.dmp family_glupteba behavioral2/memory/2116-239-0x0000000000400000-0x000000000273B000-memory.dmp family_glupteba behavioral2/memory/2116-242-0x0000000000400000-0x000000000273B000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 1728 netsh.exe -
Executes dropped EXE 4 IoCs
Processes:
csrss.exeinjector.exewindefender.exewindefender.exepid Process 2116 csrss.exe 3944 injector.exe 992 windefender.exe 1976 windefender.exe -
Processes:
resource yara_rule behavioral2/files/0x000200000002a9cf-204.dat upx behavioral2/memory/992-206-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1976-210-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/992-211-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1976-214-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1976-220-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.execsrss.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe -
Drops file in Windows directory 4 IoCs
Processes:
005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.execsrss.exedescription ioc Process File created C:\Windows\rss\csrss.exe 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 888 sc.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 4720 powershell.exe 1720 powershell.exe 4928 powershell.exe 1424 powershell.exe 1252 powershell.exe 1172 powershell.exe 1576 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 4232 schtasks.exe 1552 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exewindefender.exe005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exepowershell.exepowershell.exepowershell.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" windefender.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exe005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exepowershell.exe005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exepid Process 4720 powershell.exe 4720 powershell.exe 4532 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 4532 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 1720 powershell.exe 1720 powershell.exe 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 4928 powershell.exe 4928 powershell.exe 1424 powershell.exe 1424 powershell.exe 1252 powershell.exe 1252 powershell.exe 1172 powershell.exe 1172 powershell.exe 1576 powershell.exe 1576 powershell.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 2116 csrss.exe 2116 csrss.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 2116 csrss.exe 2116 csrss.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 2116 csrss.exe 2116 csrss.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe 3944 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
powershell.exe005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exedescription pid Process Token: SeDebugPrivilege 4720 powershell.exe Token: SeDebugPrivilege 4532 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Token: SeImpersonatePrivilege 4532 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 4928 powershell.exe Token: SeDebugPrivilege 1424 powershell.exe Token: SeDebugPrivilege 1252 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeSystemEnvironmentPrivilege 2116 csrss.exe Token: SeSecurityPrivilege 888 sc.exe Token: SeSecurityPrivilege 888 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.execmd.execsrss.exewindefender.execmd.exedescription pid Process procid_target PID 4532 wrote to memory of 4720 4532 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 80 PID 4532 wrote to memory of 4720 4532 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 80 PID 4532 wrote to memory of 4720 4532 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 80 PID 3152 wrote to memory of 1720 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 86 PID 3152 wrote to memory of 1720 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 86 PID 3152 wrote to memory of 1720 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 86 PID 3152 wrote to memory of 428 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 88 PID 3152 wrote to memory of 428 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 88 PID 428 wrote to memory of 1728 428 cmd.exe 90 PID 428 wrote to memory of 1728 428 cmd.exe 90 PID 3152 wrote to memory of 4928 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 91 PID 3152 wrote to memory of 4928 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 91 PID 3152 wrote to memory of 4928 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 91 PID 3152 wrote to memory of 1424 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 93 PID 3152 wrote to memory of 1424 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 93 PID 3152 wrote to memory of 1424 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 93 PID 3152 wrote to memory of 2116 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 95 PID 3152 wrote to memory of 2116 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 95 PID 3152 wrote to memory of 2116 3152 005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe 95 PID 2116 wrote to memory of 1252 2116 csrss.exe 96 PID 2116 wrote to memory of 1252 2116 csrss.exe 96 PID 2116 wrote to memory of 1252 2116 csrss.exe 96 PID 2116 wrote to memory of 1172 2116 csrss.exe 102 PID 2116 wrote to memory of 1172 2116 csrss.exe 102 PID 2116 wrote to memory of 1172 2116 csrss.exe 102 PID 2116 wrote to memory of 1576 2116 csrss.exe 104 PID 2116 wrote to memory of 1576 2116 csrss.exe 104 PID 2116 wrote to memory of 1576 2116 csrss.exe 104 PID 2116 wrote to memory of 3944 2116 csrss.exe 106 PID 2116 wrote to memory of 3944 2116 csrss.exe 106 PID 992 wrote to memory of 4864 992 windefender.exe 112 PID 992 wrote to memory of 4864 992 windefender.exe 112 PID 992 wrote to memory of 4864 992 windefender.exe 112 PID 4864 wrote to memory of 888 4864 cmd.exe 113 PID 4864 wrote to memory of 888 4864 cmd.exe 113 PID 4864 wrote to memory of 888 4864 cmd.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe"C:\Users\Admin\AppData\Local\Temp\005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Users\Admin\AppData\Local\Temp\005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe"C:\Users\Admin\AppData\Local\Temp\005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1728
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4232
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4068
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3944
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1552
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1976
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5263afa6fbbd3be35c707a5e02c18c2f2
SHA101a2f5cc7a91dd74e97411102fcc0415cbffb727
SHA25641edb793d102259041885de2145667bbf2be1e823f21c6c059f9ce7d235211c2
SHA512019c858a0f49b0637f2d649953a042f0ef916c65f597b69a60d1cba44565610f1e3e0f1d9466133f2e68eb04eab459849bedc61706246fe3d4abda84840df771
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5944a4d9ce83e5c64c65a813340d3d860
SHA15c9c12a68f67b7cc12b154863f6c57102bc7d216
SHA2563db5d6f3ab4099ca767b7e86de03470d04118c7a1adf558102e5f97e5ff277e1
SHA5124e0a9eb73dd48187b5b265256f97eafa198e44523d34018723e85969ee45805b8f509f9e45df3772a0dc5ae05b4e4d708126d0b979c10066ba1229947287db2d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD59f87c8ce4a5071a270d69423373e05a0
SHA1ef5d4935ecccd4a740d28101a1fc88820bfb5ba6
SHA256ee4b18a25ddb445165c96a7e38d0509621884c03283ee2172eb63f2fe9fb3ce0
SHA51291ab7993b708880c693fe0c3e71b002fee131440efc08ca562fe9b2146717758403a2b43fa1b0322c5dd7e9cbc9ce795258e0fe7e468f93b9818da1852c9446c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD58829e3e8515ca915c69f77564f3266ef
SHA1fcb9b150a3cdfbc6fbbbfc89b5d3a89f3406fa56
SHA256bd13b19a50751cc21afb77e46bf2642e779440c4aa108c4f1ffaa0cd65fde07e
SHA512e89a0f81e4b74d42c64ab5a39550f817afb3a974da9b8bcf34dd9d25cd62042cc03a2214f64d6a85228600abfb9a1efde23cd9bc20c64d8487512c3c22caf282
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5eec7870d520ddf81058484b469243d29
SHA1d16bdac45aa7b17627d631f3b055839b48f41e18
SHA25689ff1ffeb600ae96a6de012d112c624d9bf8f31ce80f95123034474c473ca04d
SHA512cbd7f0316145bcb791b67b0edd85d8323cb308cad41ceb60219063f5e5ae7f15ec37c2ce94a92bf88891a3e9214d35cc2a5fb7876d1282269d8cc2212cada94b
-
Filesize
4.1MB
MD5d25b389db8f808c07fcbbbd50528a119
SHA1d0d769fb925948461cd76eaa92d830a3d180bcd4
SHA256005c1f4a8b482aa2de3b67b80f5576228ef54299893cf0b8e0ff9568e4f80426
SHA512e6961d9f2e2d23bda0c2641a8f4b2adfd188e1150d61463a55d07cfa880808b279b815c6dabd1d71f90d8e4a70197e7cbad65aaf01ce4729d3b41f65b4af89d9
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec