glupteba | 22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Size

8.9MB
MD5

5bfd9f368a71aae200d7f8dc950c562c
SHA1

1d122608ef3bf20cd04df6d52ebb6d79b9bad693
SHA256

22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db
SHA512

5a589983adc1a6cf7ed9a7abb3e2dcffc42e9f2ca76b762d75f85ccc418d0b2de9d4e15c5393deb0fc1b95573c246f4556aec3c98bd831d21394efb1f09a8ae8
SSDEEP

98304:gHxMZDJ1TRpxYVX9u2IazANfLhZytTD5iqa:GxEvYjVzANDhwN

Score

10^/10

glupteba aspackv2 discovery dropper evasion execution loader persistence privilege_escalation rootkit

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

resource	yara_rule
behavioral2/memory/684-5-0x0000000000B00000-0x0000000001421000-memory.dmp	family_glupteba
behavioral2/memory/4776-100-0x0000000000B00000-0x0000000001421000-memory.dmp	family_glupteba
behavioral2/memory/684-97-0x0000000000B00000-0x0000000001421000-memory.dmp	family_glupteba
behavioral2/files/0x00080000000234c3-183.dat	family_glupteba
behavioral2/memory/4776-186-0x0000000000B00000-0x0000000001421000-memory.dmp	family_glupteba
behavioral2/memory/4976-187-0x00000000007F0000-0x0000000001111000-memory.dmp	family_glupteba
behavioral2/memory/4976-276-0x00000000007F0000-0x0000000001111000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1700	netsh.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023452-2.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	himQhJ.exe

Executes dropped EXE 5 IoCs

pid	Process
1728	himQhJ.exe
4332	himQhJ.exe
4976	csrss.exe
2676	himQhJ.exe
5000	injector.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	himQhJ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	himQhJ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	himQhJ.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	himQhJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe	himQhJ.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	himQhJ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE	himQhJ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	himQhJ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	himQhJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe	himQhJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe	himQhJ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	himQhJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	himQhJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe	himQhJ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	himQhJ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE	himQhJ.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	himQhJ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	himQhJ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	himQhJ.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	himQhJ.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	himQhJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	himQhJ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	himQhJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe	himQhJ.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	himQhJ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	himQhJ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	himQhJ.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	himQhJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	himQhJ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	himQhJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe	himQhJ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	himQhJ.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	himQhJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe	himQhJ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	himQhJ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	himQhJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe	himQhJ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	himQhJ.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	himQhJ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	himQhJ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	himQhJ.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	himQhJ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	himQhJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	himQhJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe	himQhJ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	himQhJ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	himQhJ.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rss\csrss.exe	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
File opened for modification	C:\Windows\rss	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3620	powershell.exe
4756	powershell.exe
3860	powershell.exe
5036	powershell.exe
3984	powershell.exe
216	powershell.exe
4788	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	himQhJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	himQhJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	himQhJ.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3840	schtasks.exe
216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3984	powershell.exe
3984	powershell.exe
684	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
684	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
216	powershell.exe
216	powershell.exe
4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
4788	powershell.exe
4788	powershell.exe
4788	powershell.exe
3620	powershell.exe
3620	powershell.exe
4756	powershell.exe
4756	powershell.exe
3860	powershell.exe
3860	powershell.exe
5036	powershell.exe
5036	powershell.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
4976	csrss.exe
4976	csrss.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
4976	csrss.exe
4976	csrss.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe
5000	injector.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	684	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Token: SeImpersonatePrivilege	684	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeSystemEnvironmentPrivilege	4976	csrss.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 1728	684	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	84
PID 684 wrote to memory of 1728	684	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	84
PID 684 wrote to memory of 1728	684	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	84
PID 684 wrote to memory of 3984	684	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	87
PID 684 wrote to memory of 3984	684	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	87
PID 684 wrote to memory of 3984	684	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	87
PID 1728 wrote to memory of 1132	1728	himQhJ.exe	91
PID 1728 wrote to memory of 1132	1728	himQhJ.exe	91
PID 1728 wrote to memory of 1132	1728	himQhJ.exe	91
PID 4776 wrote to memory of 4332	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	99
PID 4776 wrote to memory of 4332	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	99
PID 4776 wrote to memory of 4332	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	99
PID 4332 wrote to memory of 1492	4332	himQhJ.exe	100
PID 4332 wrote to memory of 1492	4332	himQhJ.exe	100
PID 4332 wrote to memory of 1492	4332	himQhJ.exe	100
PID 4776 wrote to memory of 216	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	102
PID 4776 wrote to memory of 216	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	102
PID 4776 wrote to memory of 216	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	102
PID 4776 wrote to memory of 508	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	105
PID 4776 wrote to memory of 508	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	105
PID 508 wrote to memory of 1700	508	cmd.exe	108
PID 508 wrote to memory of 1700	508	cmd.exe	108
PID 4776 wrote to memory of 4788	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	109
PID 4776 wrote to memory of 4788	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	109
PID 4776 wrote to memory of 4788	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	109
PID 4776 wrote to memory of 3620	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	111
PID 4776 wrote to memory of 3620	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	111
PID 4776 wrote to memory of 3620	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	111
PID 4776 wrote to memory of 4976	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	113
PID 4776 wrote to memory of 4976	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	113
PID 4776 wrote to memory of 4976	4776	22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe	113
PID 4976 wrote to memory of 2676	4976	csrss.exe	114
PID 4976 wrote to memory of 2676	4976	csrss.exe	114
PID 4976 wrote to memory of 2676	4976	csrss.exe	114
PID 2676 wrote to memory of 3224	2676	himQhJ.exe	115
PID 2676 wrote to memory of 3224	2676	himQhJ.exe	115
PID 2676 wrote to memory of 3224	2676	himQhJ.exe	115
PID 4976 wrote to memory of 4756	4976	csrss.exe	117
PID 4976 wrote to memory of 4756	4976	csrss.exe	117
PID 4976 wrote to memory of 4756	4976	csrss.exe	117
PID 4976 wrote to memory of 3860	4976	csrss.exe	122
PID 4976 wrote to memory of 3860	4976	csrss.exe	122
PID 4976 wrote to memory of 3860	4976	csrss.exe	122
PID 4976 wrote to memory of 5036	4976	csrss.exe	125
PID 4976 wrote to memory of 5036	4976	csrss.exe	125
PID 4976 wrote to memory of 5036	4976	csrss.exe	125
PID 4976 wrote to memory of 5000	4976	csrss.exe	127
PID 4976 wrote to memory of 5000	4976	csrss.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
"C:\Users\Admin\AppData\Local\Temp\22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\AppData\Local\Temp\himQhJ.exe
  C:\Users\Admin\AppData\Local\Temp\himQhJ.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\789146bd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1132
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Users\Admin\AppData\Local\Temp\22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe
  "C:\Users\Admin\AppData\Local\Temp\22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\TEMP\himQhJ.exe
    C:\Windows\TEMP\himQhJ.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\1f6109a7.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1492
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:508
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4788
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3620
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\TEMP\himQhJ.exe
      C:\Windows\TEMP\himQhJ.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\386a493e.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4756
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:216
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4120
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3860
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5000
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MQYRE6E5\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DF64C6A.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\789146bd.bat

Filesize
187B

MD5
e93a873e4541aa11f6bed99f50390386

SHA1
bcffec15b44e4861346d4ce214adfc72631378ff

SHA256
012733861250cab1e6b40b6be2dc6d0c820b1f1c4750268681be2c345a5ae68d

SHA512
22f673d7d0bfed25543567ae404c87b3e1c160befa14b2e3ee48651c10f9316a1de9d4d0fc468d8a5ad17083d72a5b3659706fb2e20852c60364fba7a9d28347

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jin1z5xv.zos.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\himQhJ.exe

Filesize
15KB

MD5
f7d21de5c4e81341eccd280c11ddcc9a

SHA1
d4e9ef10d7685d491583c6fa93ae5d9105d815bd

SHA256
4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

SHA512
e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
57609947339b0bd69bb102613e3ac77a

SHA1
a0f7ea266c7207860d7a0c74e29980d1fbe5d9d1

SHA256
e96cca388e378bfceb19196b93438e386829ea00a2c5a25f793c14de5ba5f2f1

SHA512
7425ef74da5a06d63952419dda2a729530a981448de462d3d1486586a5d78d45fcb4effb84626cdb08674c0ee9250a458ede69e970b95edad737b6eb8a39f6f3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2e0b4cec7a0b296a4940a0b5e430e5b9

SHA1
1f70ed09c4c2a032a73d6ed2ab161efb49e32a29

SHA256
9725065abab8b53589786390b4671a95d61e29de0dec3088462691a9ebedaf7a

SHA512
d3b514cbe1bb3252dd5188ce784084c2d86f439e6eba6374fe5cb4d3b4ea254883f5f84863ea4ed626c82cf8f8ccf8d91134ce1e9fe2c359ce6935be34b6180d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
280699cfb64d4e75a37133ffafc1bcaa

SHA1
0718dec31beea5ea6f08fc71f858113e0be318b2

SHA256
99becc434cbf575915858067bf658acf9cedc5d679e8c430010c2021beab4ff5

SHA512
26d3e4596bf7352d96089b34c1509ebdf4f115db945067f23a789aedfa7135c254cca21dc17b6bc1393977c8f8c2ee0134c4c6b4f233eda32aa1cf543cb0fcb0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
4f140b9fb928660408b111eaf5515814

SHA1
a7ab2052c83f2d7da1be701475d992a328f9221b

SHA256
97d7d2c13057d9926fd522ee5c2771fedd79e169f95e3b3360bf5dacac24648a

SHA512
84adddf74960eac2d0485d91482c568aae045e35ac10bcda3a810de9eb54b93f101fec44d4356cc51dbba746c78001baeb6754f84f12ac1a31ef872a3e440433

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
50bf65579656c8b40020594b31222e4d

SHA1
187321468d8445ac9a41a2a82e5044f6a709f0ae

SHA256
1dd23b62dfcb75b86dc20f1d7adeb82343cee408114dc11d88b580ba4cac6723

SHA512
ce579f442fb2bb8e057b0b33c302d0e5f12d495d1828621dba8edcab473f477e91cd6ec8449224a2eb14c686e3431d59f11a91e63deb71793f18fce603a131ca

Download Submit
C:\Windows\TEMP\1f6109a7.bat

Filesize
133B

MD5
47bfd1defc98fe875c89a920becbaddf

SHA1
79cc1668437b8b283bbcfd4bf7d37dfcc4624666

SHA256
13bb7283682fe765c4e463b853399b28ae11fec75f8b807366f603188b3519ee

SHA512
50e500b2c791ed401f5c26ba649fbb1cacc17ead8e05b97908f0f4d8800ebda74370515b33ff045f12e8065bc0d91af7be70b02114bd72b312073953c96e7b9c

Download Submit
C:\Windows\TEMP\386a493e.bat

Filesize
133B

MD5
789a8a16812553c02610de4582e1aa8b

SHA1
89f4f70d5d7380bfaf7b0ec0202f9c089894dea1

SHA256
97b98998865104bb794ac3ed4a722a993f9bcffe1f0e5efeef4b567ae2a3ae0f

SHA512
5e67390ecfa11df64b1a24c51f93e8f98c7ef2bb47e5397cf8ccdb8cb3fa4cc36fdb3d9a8e013165f746d83e1d8ad53087c73a5c74a9c20a1ebf589a25d38580

Download Submit
C:\Windows\rss\csrss.exe

Filesize
8.9MB

MD5
5bfd9f368a71aae200d7f8dc950c562c

SHA1
1d122608ef3bf20cd04df6d52ebb6d79b9bad693

SHA256
22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db

SHA512
5a589983adc1a6cf7ed9a7abb3e2dcffc42e9f2ca76b762d75f85ccc418d0b2de9d4e15c5393deb0fc1b95573c246f4556aec3c98bd831d21394efb1f09a8ae8

Download Submit
memory/216-107-0x00000000056A0000-0x00000000059F4000-memory.dmp

Filesize
3.3MB

Download
memory/216-130-0x0000000007230000-0x0000000007241000-memory.dmp

Filesize
68KB

Download
memory/216-131-0x0000000007280000-0x0000000007294000-memory.dmp

Filesize
80KB

Download
memory/216-129-0x0000000006F00000-0x0000000006FA3000-memory.dmp

Filesize
652KB

Download
memory/216-119-0x0000000070CC0000-0x0000000071014000-memory.dmp

Filesize
3.3MB

Download
memory/216-117-0x0000000005D60000-0x0000000005DAC000-memory.dmp

Filesize
304KB

Download
memory/216-118-0x0000000070780000-0x00000000707CC000-memory.dmp

Filesize
304KB

Download
memory/684-97-0x0000000000B00000-0x0000000001421000-memory.dmp

Filesize
9.1MB

Download
memory/684-5-0x0000000000B00000-0x0000000001421000-memory.dmp

Filesize
9.1MB

Download
memory/1728-6-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1728-67-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/2676-190-0x00000000009F0000-0x00000000009F9000-memory.dmp

Filesize
36KB

Download
memory/3620-168-0x0000000070780000-0x00000000707CC000-memory.dmp

Filesize
304KB

Download
memory/3620-169-0x0000000070CC0000-0x0000000071014000-memory.dmp

Filesize
3.3MB

Download
memory/3860-246-0x0000000005AD0000-0x0000000005AE1000-memory.dmp

Filesize
68KB

Download
memory/3860-231-0x0000000005610000-0x0000000005964000-memory.dmp

Filesize
3.3MB

Download
memory/3860-233-0x0000000006100000-0x000000000614C000-memory.dmp

Filesize
304KB

Download
memory/3860-234-0x00000000706E0000-0x000000007072C000-memory.dmp

Filesize
304KB

Download
memory/3860-235-0x0000000070E80000-0x00000000711D4000-memory.dmp

Filesize
3.3MB

Download
memory/3860-245-0x0000000006F00000-0x0000000006FA3000-memory.dmp

Filesize
652KB

Download
memory/3860-247-0x0000000005B10000-0x0000000005B24000-memory.dmp

Filesize
80KB

Download
memory/3984-12-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/3984-83-0x0000000007C40000-0x0000000007C5E000-memory.dmp

Filesize
120KB

Download
memory/3984-64-0x00000000079C0000-0x0000000007A36000-memory.dmp

Filesize
472KB

Download
memory/3984-31-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/3984-23-0x0000000006060000-0x00000000063B4000-memory.dmp

Filesize
3.3MB

Download
memory/3984-32-0x00000000066A0000-0x00000000066EC000-memory.dmp

Filesize
304KB

Download
memory/3984-94-0x00000000736F0000-0x0000000073EA0000-memory.dmp

Filesize
7.7MB

Download
memory/3984-91-0x0000000007E00000-0x0000000007E08000-memory.dmp

Filesize
32KB

Download
memory/3984-90-0x0000000007E10000-0x0000000007E2A000-memory.dmp

Filesize
104KB

Download
memory/3984-89-0x0000000007DC0000-0x0000000007DD4000-memory.dmp

Filesize
80KB

Download
memory/3984-88-0x0000000007DA0000-0x0000000007DAE000-memory.dmp

Filesize
56KB

Download
memory/3984-13-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/3984-69-0x00000000080C0000-0x000000000873A000-memory.dmp

Filesize
6.5MB

Download
memory/3984-54-0x0000000006BF0000-0x0000000006C34000-memory.dmp

Filesize
272KB

Download
memory/3984-70-0x0000000007A40000-0x0000000007A5A000-memory.dmp

Filesize
104KB

Download
memory/3984-71-0x0000000007C00000-0x0000000007C32000-memory.dmp

Filesize
200KB

Download
memory/3984-11-0x00000000057C0000-0x00000000057E2000-memory.dmp

Filesize
136KB

Download
memory/3984-87-0x0000000007D60000-0x0000000007D71000-memory.dmp

Filesize
68KB

Download
memory/3984-86-0x0000000007E60000-0x0000000007EF6000-memory.dmp

Filesize
600KB

Download
memory/3984-10-0x00000000058E0000-0x0000000005F08000-memory.dmp

Filesize
6.2MB

Download
memory/3984-73-0x0000000070300000-0x0000000070654000-memory.dmp

Filesize
3.3MB

Download
memory/3984-72-0x0000000070020000-0x000000007006C000-memory.dmp

Filesize
304KB

Download
memory/3984-85-0x0000000007D50000-0x0000000007D5A000-memory.dmp

Filesize
40KB

Download
memory/3984-9-0x00000000736F0000-0x0000000073EA0000-memory.dmp

Filesize
7.7MB

Download
memory/3984-7-0x00000000736FE000-0x00000000736FF000-memory.dmp

Filesize
4KB

Download
memory/3984-8-0x0000000002D40000-0x0000000002D76000-memory.dmp

Filesize
216KB

Download
memory/3984-84-0x0000000007C60000-0x0000000007D03000-memory.dmp

Filesize
652KB

Download
memory/4332-101-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/4332-105-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/4756-207-0x00000000707C0000-0x000000007080C000-memory.dmp

Filesize
304KB

Download
memory/4756-208-0x0000000070940000-0x0000000070C94000-memory.dmp

Filesize
3.3MB

Download
memory/4756-218-0x0000000007900000-0x00000000079A3000-memory.dmp

Filesize
652KB

Download
memory/4756-219-0x00000000064B0000-0x00000000064C1000-memory.dmp

Filesize
68KB

Download
memory/4756-220-0x00000000064F0000-0x0000000006504000-memory.dmp

Filesize
80KB

Download
memory/4756-206-0x0000000006710000-0x000000000675C000-memory.dmp

Filesize
304KB

Download
memory/4756-204-0x0000000006120000-0x0000000006474000-memory.dmp

Filesize
3.3MB

Download
memory/4776-186-0x0000000000B00000-0x0000000001421000-memory.dmp

Filesize
9.1MB

Download
memory/4776-100-0x0000000000B00000-0x0000000001421000-memory.dmp

Filesize
9.1MB

Download
memory/4788-144-0x0000000005E60000-0x00000000061B4000-memory.dmp

Filesize
3.3MB

Download
memory/4788-146-0x0000000070780000-0x00000000707CC000-memory.dmp

Filesize
304KB

Download
memory/4788-147-0x00000000708E0000-0x0000000070C34000-memory.dmp

Filesize
3.3MB

Download
memory/4976-187-0x00000000007F0000-0x0000000001111000-memory.dmp

Filesize
9.1MB

Download
memory/4976-276-0x00000000007F0000-0x0000000001111000-memory.dmp

Filesize
9.1MB

Download
memory/5036-259-0x00000000706E0000-0x000000007072C000-memory.dmp

Filesize
304KB

Download
memory/5036-260-0x0000000070E80000-0x00000000711D4000-memory.dmp

Filesize
3.3MB

Download