glupteba | 4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409

Analysis

max time kernel
15s
max time network
63s
platform
windows7_x64
resource
win7v20210410
submitted
08-07-2021 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Size

4.5MB
MD5

dde0965428c655c1fabbcba5a44e7830
SHA1

b5118f55982bf9784bb34a3f0af738f7d409a5ff
SHA256

7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4
SHA512

f6b83ff23e0e7102a69bf43e723f312acb0bbf95e04d7386513cc2c5b2f9e160f0f38b179688702675ecb7c4a0782fad1f007f3db59c2104aa08a7cdcc6b2e13

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral9/memory/1632-59-0x0000000002B50000-0x0000000003476000-memory.dmp	family_glupteba
behavioral9/memory/1632-60-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies data under HKEY_USERS 64 IoCs

Processes:

7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-432 = "Iran Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

pid process

1632 7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

pid	process
1632	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

description	pid	process
Token: SeDebugPrivilege	1632	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Token: SeImpersonatePrivilege	1632	7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe

C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"
2⤵
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-59-0x0000000002B50000-0x0000000003476000-memory.dmp

Filesize
9.1MB

Download
memory/1632-60-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download