glupteba | 4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409

Analysis

max time kernel
16s
max time network
119s
platform
windows10_x64
resource
win10v20210408
submitted
08-07-2021 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Size

4.5MB
MD5

dde0965428c655c1fabbcba5a44e7830
SHA1

b5118f55982bf9784bb34a3f0af738f7d409a5ff
SHA256

7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4
SHA512

f6b83ff23e0e7102a69bf43e723f312acb0bbf95e04d7386513cc2c5b2f9e160f0f38b179688702675ecb7c4a0782fad1f007f3db59c2104aa08a7cdcc6b2e13

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral10/memory/996-114-0x0000000002F90000-0x00000000038B6000-memory.dmp	family_glupteba
behavioral10/memory/996-115-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3396 created 996 3396 svchost.exe 7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

description	pid	process	target process
PID 3396 created 996	3396	svchost.exe	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

pid	process
996	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
996	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	996	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Token: SeImpersonatePrivilege	996	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Token: SeTcbPrivilege	3396	svchost.exe
Token: SeTcbPrivilege	3396	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 3396 wrote to memory of 4056	3396	svchost.exe	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
PID 3396 wrote to memory of 4056	3396	svchost.exe	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
PID 3396 wrote to memory of 4056	3396	svchost.exe	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"
2⤵
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:4056

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-114-0x0000000002F90000-0x00000000038B6000-memory.dmp

Filesize
9.1MB

Download
memory/996-115-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/4056-116-0x0000000000000000-mapping.dmp

Download