Overview

overview

10

Static

static

1

693fa17c69...da.exe

windows7-x64

10

693fa17c69...da.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    22s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2024 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda.exe

  • Size

    4.1MB

  • MD5

    881aa53278b6fd49243280d29897d19d

  • SHA1

    dd028f2c1f5b5356e81eadc0e39f263105847f19

  • SHA256

    693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda

  • SHA512

    2fd0d0eef468aa3ebac35c2979976214ba4c7c49a2bd86ddbd48be30c87073bbc67f72e171ec7056d14e4671561d16a636f47664db861a1227ce75e07d12c49c

  • SSDEEP

    98304:JGrnwiB2dYFBQLVw0Jv37FWi1chPr/xRmmjECQgDNU:JG7LuY/yhvJWf/qmwCQmU

Score
8/10
evasionexecution

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops file in System32 directory 2 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda.exe
    "C:\Users\Admin\AppData\Local\Temp\693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4160
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2800
    • C:\Users\Admin\AppData\Local\Temp\693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda.exe
      "C:\Users\Admin\AppData\Local\Temp\693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda.exe"
      2⤵
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4292
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2916
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:336
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:5044
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3352
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Command and Scripting Interpreter: PowerShell
        PID:2080
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
          PID:2156
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Command and Scripting Interpreter: PowerShell
            PID:2628
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:3368
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /tn ScheduledUpdate /f
            4⤵
              PID:3684
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              4⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4616
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              4⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4364
            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
              4⤵
                PID:5072
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                4⤵
                • Creates scheduled task(s)
                PID:3440

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cz3v1ca5.gr0.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          Filesize

          281KB

          MD5

          d98e33b66343e7c96158444127a117f6

          SHA1

          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

          SHA256

          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

          SHA512

          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          64f0163a8290e8fdb973429dfa9c0423

          SHA1

          cfa9db40ec5566d3fa52bd97cf32605ef88f5916

          SHA256

          bcd1d3424ad4df529ac600870bc6a54d09ab45ab72b85d47d04b3da79103a140

          SHA512

          6093a1f918a913e73a6d8f1c522d293866a52e2ee0b5e0ac6e29110cf98a38b8ac690f2805ce419518d4b26dd49633940e6c5de4fbeb7528e8beea1af46e9a6a

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          7b951a9a0ccb8cc63b8c53df7689b07b

          SHA1

          bb134aa90dd937cba2fc857eeb3e317db66b736e

          SHA256

          f58c26fd058d391b39c0d25f4b6c582208663b31e9285a2405782bccb5a898a1

          SHA512

          45e8d91f3265df7fb76fb5581917252afb44687f854d6cd1923e849d0316a4d6ff8a15f399a5cec67979762ff629ed4db90bb80f81172f720efbd6ce04bc519a

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          a4f2dafe623205cb04589c40b2c57b05

          SHA1

          dc065406c20c21d828efb5ea9943852bd97ce768

          SHA256

          e66b59fea225c6a3e0be303485cc4d8dc5963e6721e550f097f8bc7aebecaf46

          SHA512

          264c2c66aeecbbc324789ee40926e4c6fdfb76e8c2af0dde90879d0762bf128ebb4b17e92c9eab69662486d556162d0c0d6a571a07b396f9f904ba6bb703a840

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          f64b0ca61114574ee7e32fff32383da0

          SHA1

          dae99343aa005bad6688268891711db042a6bf61

          SHA256

          5d4414adf97cd6eee104d5e9e87085fcdfdb41c23b739b691d9eb64bebcbcb62

          SHA512

          0e5dc312d2cbf248816b996c4df930c56670398614490e57bdfa2da416a66b3a792d59c91f10f6b427d4004baecca6e6d5ca4ace34a94380c4d3f42e4abfadf5

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          f92f5a9291fcd85fcdd2bb6f1e1b5ec4

          SHA1

          3a6cbba0f511dec92065e7f6e99140b38e2de2e1

          SHA256

          74a863af33bb26a09c1b2aa8c1e4ad3fea005251cd07cb3b5f71922e63478eee

          SHA512

          a6dd05c0cf39ca28a94beab785ae3f839c254fa2260dff22c5e121bd355d65394caaf5b233e1336361908e55596041d772c8c1de2983de2d01d312e0943389db

          Download Submit

        • C:\Windows\rss\csrss.exe
          Filesize

          128KB

          MD5

          20135139afc48fd93d3b4f4564597f8c

          SHA1

          d8b2c4135adaeabf072e15da020d8df284bc3ef4

          SHA256

          1d1c3de0760fc109333d5148ad082285b3cefd32f34c3deb7ff3d87a4f59c7c2

          SHA512

          eb3f643ab329f21b5525167358d86a9dc16617159443f125a62ced80bbadcc946e5ade0de4aa61b910eb92b7334e8aceafa9f0905d0b56b58bb736f69e0419bf

          Download Submit

        • memory/2080-120-0x0000000070F80000-0x00000000712D4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2080-119-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2080-117-0x0000000005E20000-0x0000000006174000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2156-237-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/2156-225-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/2156-231-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/2156-229-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/2156-219-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/2156-221-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/2156-223-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/2156-217-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/2156-227-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/2156-239-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/2156-233-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/2156-235-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/2628-150-0x0000000070F80000-0x00000000712D4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2628-149-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2800-27-0x0000000007B60000-0x0000000007B7A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2800-30-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2800-29-0x0000000007D10000-0x0000000007D42000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2800-48-0x0000000007EC0000-0x0000000007ECE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2800-50-0x0000000007FC0000-0x0000000007FDA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2800-51-0x0000000007F10000-0x0000000007F18000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2800-49-0x0000000007ED0000-0x0000000007EE4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2800-54-0x0000000074F40000-0x00000000756F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2800-42-0x0000000007D50000-0x0000000007D6E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2800-44-0x0000000074F40000-0x00000000756F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2800-47-0x0000000007E80000-0x0000000007E91000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2800-46-0x0000000007F20000-0x0000000007FB6000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2800-45-0x0000000007E60000-0x0000000007E6A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2800-43-0x0000000007D70000-0x0000000007E13000-memory.dmp

          Filesize

          652KB

          Download

        • memory/2800-31-0x0000000074F40000-0x00000000756F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2800-32-0x0000000070F60000-0x00000000712B4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2800-26-0x00000000081C0000-0x000000000883A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2800-25-0x0000000007AC0000-0x0000000007B36000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2800-24-0x0000000007900000-0x0000000007944000-memory.dmp

          Filesize

          272KB

          Download

        • memory/2800-23-0x00000000067D0000-0x000000000681C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2800-22-0x0000000006790000-0x00000000067AE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2800-9-0x00000000057E0000-0x0000000005802000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2800-11-0x0000000006150000-0x00000000061B6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2800-21-0x0000000006330000-0x0000000006684000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2800-10-0x00000000060E0000-0x0000000006146000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2800-7-0x00000000058C0000-0x0000000005EE8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2800-8-0x0000000074F40000-0x00000000756F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2800-6-0x0000000074F40000-0x00000000756F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2800-5-0x00000000031A0000-0x00000000031D6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2800-4-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2916-81-0x0000000007840000-0x0000000007854000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2916-68-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2916-80-0x00000000077F0000-0x0000000007801000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2916-79-0x00000000074C0000-0x0000000007563000-memory.dmp

          Filesize

          652KB

          Download

        • memory/2916-69-0x0000000071B90000-0x0000000071EE4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2916-67-0x0000000005B90000-0x0000000005EE4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3352-97-0x0000000070F60000-0x00000000712B4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3352-96-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4160-57-0x0000000005040000-0x000000000592B000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/4160-56-0x00000000033A0000-0x000000000379A000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4160-28-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/4160-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4160-2-0x0000000005040000-0x000000000592B000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/4160-131-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4160-1-0x00000000033A0000-0x000000000379A000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4160-84-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/4292-136-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/4292-130-0x0000000000400000-0x0000000002EDD000-memory.dmp

          Filesize

          42.9MB

          Download

        • memory/4364-201-0x0000000071470000-0x00000000717C4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4364-200-0x0000000070D00000-0x0000000070D4C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4364-195-0x0000000005A20000-0x0000000005D74000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4616-187-0x0000000005BB0000-0x0000000005BC4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/4616-186-0x0000000007310000-0x0000000007321000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4616-174-0x0000000070D00000-0x0000000070D4C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4616-175-0x00000000712E0000-0x0000000071634000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4616-185-0x0000000006FE0000-0x0000000007083000-memory.dmp

          Filesize

          652KB

          Download

        • memory/4616-173-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4616-168-0x00000000056D0000-0x0000000005A24000-memory.dmp

          Filesize

          3.3MB

          Download