glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (19).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score

10^/10

glupteba metasploit redline vidar 937 second_7.5k www backdoor discovery dropper evasion infostealer loader spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

www

185.204.109.146:54891

Extracted

Family

redline

Botnet

Second_7.5K

45.14.49.200:27625

Extracted

Family

vidar

Version

40.1

Botnet

937

https://eduarroma.tumblr.com/

Attributes

profile_id
937

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

resource	yara_rule
behavioral21/memory/1204-156-0x0000000004760000-0x0000000005086000-memory.dmp	family_glupteba
behavioral21/memory/1204-161-0x0000000000400000-0x00000000027DB000-memory.dmp	family_glupteba
behavioral21/memory/2628-162-0x0000000000400000-0x00000000027DB000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

resource	yara_rule
behavioral21/files/0x0003000000013113-62.dat	family_redline
behavioral21/files/0x0003000000013113-71.dat	family_redline
behavioral21/files/0x0003000000013159-74.dat	family_redline
behavioral21/files/0x0003000000013159-95.dat	family_redline
behavioral21/files/0x0003000000013113-103.dat	family_redline
behavioral21/files/0x0003000000013159-104.dat	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral21/memory/1832-125-0x0000000000220000-0x00000000002BD000-memory.dmp	family_vidar
behavioral21/memory/1832-128-0x0000000000400000-0x0000000002D0E000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
1840	aFevX1m0GF5d5k730ibc_fIi.exe
1720	0Ofgf1rtk_CtH7RKEk7fIYZs.exe
1340	VayOCucCmXnp9pR3UmRKIgFZ.exe
1172	ea483tLhmJYU48alI1kSD5Um.exe
612	lTppLAzi8WQvwLARPLSVxNG5.exe
1204	JAuu_xm_T50e6s9PdjWgjFdv.exe
1348	kDxZzwURoJSup884EVALAd3U.exe
1616	Oyuj4edM0T5VmLi18wOaJkwV.exe
1900	8UxyzatQIoIZ2XmTP9nwbDgB.exe
396	QK0MTdDnAdyZUCU9jKi6ZY7G.exe
1832	vqkFUAOaKnMc5RZ3DW_HEkOZ.exe
1628	OtUxGS2AanQZ0NCDclLYbwXh.exe
1488	S_oBUrt6tiby69YBurKbOmPQ.exe
2628	JAuu_xm_T50e6s9PdjWgjFdv.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ea483tLhmJYU48alI1kSD5Um.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OtUxGS2AanQZ0NCDclLYbwXh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OtUxGS2AanQZ0NCDclLYbwXh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ea483tLhmJYU48alI1kSD5Um.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	Setup (19).exe

Loads dropped DLL 30 IoCs

pid	Process
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
2008	Setup (19).exe
276	WerFault.exe
276	WerFault.exe
276	WerFault.exe
276	WerFault.exe
276	WerFault.exe
276	WerFault.exe
276	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral21/files/0x0003000000013158-82.dat	themida
behavioral21/files/0x000300000001315b-76.dat	themida
behavioral21/files/0x000300000001315b-96.dat	themida
behavioral21/files/0x000300000001317f-114.dat	themida
behavioral21/files/0x000300000001317f-120.dat	themida
behavioral21/memory/1172-130-0x00000000008E0000-0x00000000008E1000-memory.dmp	themida
behavioral21/memory/1628-141-0x0000000001140000-0x0000000001141000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ea483tLhmJYU48alI1kSD5Um.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OtUxGS2AanQZ0NCDclLYbwXh.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ipinfo.io
19	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1172	ea483tLhmJYU48alI1kSD5Um.exe
1628	OtUxGS2AanQZ0NCDclLYbwXh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
276	1832	WerFault.exe	54

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	JAuu_xm_T50e6s9PdjWgjFdv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	JAuu_xm_T50e6s9PdjWgjFdv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	JAuu_xm_T50e6s9PdjWgjFdv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	JAuu_xm_T50e6s9PdjWgjFdv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	JAuu_xm_T50e6s9PdjWgjFdv.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Setup (19).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (19).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	vqkFUAOaKnMc5RZ3DW_HEkOZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	vqkFUAOaKnMc5RZ3DW_HEkOZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	vqkFUAOaKnMc5RZ3DW_HEkOZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Setup (19).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (19).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Setup (19).exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2008	Setup (19).exe
276	WerFault.exe
276	WerFault.exe
276	WerFault.exe
276	WerFault.exe
276	WerFault.exe
276	WerFault.exe
1340	VayOCucCmXnp9pR3UmRKIgFZ.exe
1340	VayOCucCmXnp9pR3UmRKIgFZ.exe
1204	JAuu_xm_T50e6s9PdjWgjFdv.exe
1628	OtUxGS2AanQZ0NCDclLYbwXh.exe
1628	OtUxGS2AanQZ0NCDclLYbwXh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
276	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	VayOCucCmXnp9pR3UmRKIgFZ.exe
Token: SeDebugPrivilege	276	WerFault.exe
Token: SeDebugPrivilege	1204	JAuu_xm_T50e6s9PdjWgjFdv.exe
Token: SeImpersonatePrivilege	1204	JAuu_xm_T50e6s9PdjWgjFdv.exe
Token: SeDebugPrivilege	1628	OtUxGS2AanQZ0NCDclLYbwXh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1840	2008	Setup (19).exe	31
PID 2008 wrote to memory of 1840	2008	Setup (19).exe	31
PID 2008 wrote to memory of 1840	2008	Setup (19).exe	31
PID 2008 wrote to memory of 1840	2008	Setup (19).exe	31
PID 2008 wrote to memory of 1624	2008	Setup (19).exe	32
PID 2008 wrote to memory of 1624	2008	Setup (19).exe	32
PID 2008 wrote to memory of 1624	2008	Setup (19).exe	32
PID 2008 wrote to memory of 1624	2008	Setup (19).exe	32
PID 2008 wrote to memory of 1616	2008	Setup (19).exe	34
PID 2008 wrote to memory of 1616	2008	Setup (19).exe	34
PID 2008 wrote to memory of 1616	2008	Setup (19).exe	34
PID 2008 wrote to memory of 1616	2008	Setup (19).exe	34
PID 2008 wrote to memory of 1720	2008	Setup (19).exe	33
PID 2008 wrote to memory of 1720	2008	Setup (19).exe	33
PID 2008 wrote to memory of 1720	2008	Setup (19).exe	33
PID 2008 wrote to memory of 1720	2008	Setup (19).exe	33
PID 2008 wrote to memory of 612	2008	Setup (19).exe	37
PID 2008 wrote to memory of 612	2008	Setup (19).exe	37
PID 2008 wrote to memory of 612	2008	Setup (19).exe	37
PID 2008 wrote to memory of 612	2008	Setup (19).exe	37
PID 2008 wrote to memory of 1340	2008	Setup (19).exe	38
PID 2008 wrote to memory of 1340	2008	Setup (19).exe	38
PID 2008 wrote to memory of 1340	2008	Setup (19).exe	38
PID 2008 wrote to memory of 1340	2008	Setup (19).exe	38
PID 2008 wrote to memory of 1348	2008	Setup (19).exe	36
PID 2008 wrote to memory of 1348	2008	Setup (19).exe	36
PID 2008 wrote to memory of 1348	2008	Setup (19).exe	36
PID 2008 wrote to memory of 1348	2008	Setup (19).exe	36
PID 2008 wrote to memory of 1172	2008	Setup (19).exe	39
PID 2008 wrote to memory of 1172	2008	Setup (19).exe	39
PID 2008 wrote to memory of 1172	2008	Setup (19).exe	39
PID 2008 wrote to memory of 1172	2008	Setup (19).exe	39
PID 2008 wrote to memory of 1172	2008	Setup (19).exe	39
PID 2008 wrote to memory of 1172	2008	Setup (19).exe	39
PID 2008 wrote to memory of 1172	2008	Setup (19).exe	39
PID 2008 wrote to memory of 896	2008	Setup (19).exe	45
PID 2008 wrote to memory of 896	2008	Setup (19).exe	45
PID 2008 wrote to memory of 896	2008	Setup (19).exe	45
PID 2008 wrote to memory of 896	2008	Setup (19).exe	45
PID 2008 wrote to memory of 896	2008	Setup (19).exe	45
PID 2008 wrote to memory of 896	2008	Setup (19).exe	45
PID 2008 wrote to memory of 896	2008	Setup (19).exe	45
PID 2008 wrote to memory of 1204	2008	Setup (19).exe	44
PID 2008 wrote to memory of 1204	2008	Setup (19).exe	44
PID 2008 wrote to memory of 1204	2008	Setup (19).exe	44
PID 2008 wrote to memory of 1204	2008	Setup (19).exe	44
PID 2008 wrote to memory of 808	2008	Setup (19).exe	43
PID 2008 wrote to memory of 808	2008	Setup (19).exe	43
PID 2008 wrote to memory of 808	2008	Setup (19).exe	43
PID 2008 wrote to memory of 808	2008	Setup (19).exe	43
PID 2008 wrote to memory of 1900	2008	Setup (19).exe	42
PID 2008 wrote to memory of 1900	2008	Setup (19).exe	42
PID 2008 wrote to memory of 1900	2008	Setup (19).exe	42
PID 2008 wrote to memory of 1900	2008	Setup (19).exe	42
PID 2008 wrote to memory of 396	2008	Setup (19).exe	50
PID 2008 wrote to memory of 396	2008	Setup (19).exe	50
PID 2008 wrote to memory of 396	2008	Setup (19).exe	50
PID 2008 wrote to memory of 396	2008	Setup (19).exe	50
PID 2008 wrote to memory of 1832	2008	Setup (19).exe	54
PID 2008 wrote to memory of 1832	2008	Setup (19).exe	54
PID 2008 wrote to memory of 1832	2008	Setup (19).exe	54
PID 2008 wrote to memory of 1832	2008	Setup (19).exe	54
PID 2008 wrote to memory of 1628	2008	Setup (19).exe	53
PID 2008 wrote to memory of 1628	2008	Setup (19).exe	53

C:\Users\Admin\AppData\Local\Temp\Setup (19).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (19).exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\Documents\aFevX1m0GF5d5k730ibc_fIi.exe
  "C:\Users\Admin\Documents\aFevX1m0GF5d5k730ibc_fIi.exe"
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Users\Admin\Documents\GXqcntlGHYc0L66NCl4YUrE5.exe
  "C:\Users\Admin\Documents\GXqcntlGHYc0L66NCl4YUrE5.exe"
  2⤵
  PID:1624
- C:\Users\Admin\Documents\0Ofgf1rtk_CtH7RKEk7fIYZs.exe
  "C:\Users\Admin\Documents\0Ofgf1rtk_CtH7RKEk7fIYZs.exe"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Users\Admin\Documents\Oyuj4edM0T5VmLi18wOaJkwV.exe
  "C:\Users\Admin\Documents\Oyuj4edM0T5VmLi18wOaJkwV.exe"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Users\Admin\Documents\kDxZzwURoJSup884EVALAd3U.exe
  "C:\Users\Admin\Documents\kDxZzwURoJSup884EVALAd3U.exe"
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Users\Admin\Documents\lTppLAzi8WQvwLARPLSVxNG5.exe
  "C:\Users\Admin\Documents\lTppLAzi8WQvwLARPLSVxNG5.exe"
  2⤵
  - Executes dropped EXE
  PID:612
- C:\Users\Admin\Documents\VayOCucCmXnp9pR3UmRKIgFZ.exe
  "C:\Users\Admin\Documents\VayOCucCmXnp9pR3UmRKIgFZ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Users\Admin\Documents\ea483tLhmJYU48alI1kSD5Um.exe
  "C:\Users\Admin\Documents\ea483tLhmJYU48alI1kSD5Um.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1172
- C:\Users\Admin\Documents\8UxyzatQIoIZ2XmTP9nwbDgB.exe
  "C:\Users\Admin\Documents\8UxyzatQIoIZ2XmTP9nwbDgB.exe"
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Users\Admin\Documents\XP_hFz01vfcQZOMF_gGVNyCT.exe
  "C:\Users\Admin\Documents\XP_hFz01vfcQZOMF_gGVNyCT.exe"
  2⤵
  PID:808
- C:\Users\Admin\Documents\JAuu_xm_T50e6s9PdjWgjFdv.exe
  "C:\Users\Admin\Documents\JAuu_xm_T50e6s9PdjWgjFdv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- - C:\Users\Admin\Documents\JAuu_xm_T50e6s9PdjWgjFdv.exe
    "C:\Users\Admin\Documents\JAuu_xm_T50e6s9PdjWgjFdv.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:2628
- C:\Users\Admin\Documents\aTau7XhS8PLQSkPiaxNkamKd.exe
  "C:\Users\Admin\Documents\aTau7XhS8PLQSkPiaxNkamKd.exe"
  2⤵
  PID:896
- C:\Users\Admin\Documents\QK0MTdDnAdyZUCU9jKi6ZY7G.exe
  "C:\Users\Admin\Documents\QK0MTdDnAdyZUCU9jKi6ZY7G.exe"
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Users\Admin\Documents\S_oBUrt6tiby69YBurKbOmPQ.exe
  "C:\Users\Admin\Documents\S_oBUrt6tiby69YBurKbOmPQ.exe"
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Users\Admin\Documents\OtUxGS2AanQZ0NCDclLYbwXh.exe
  "C:\Users\Admin\Documents\OtUxGS2AanQZ0NCDclLYbwXh.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Users\Admin\Documents\vqkFUAOaKnMc5RZ3DW_HEkOZ.exe
  "C:\Users\Admin\Documents\vqkFUAOaKnMc5RZ3DW_HEkOZ.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 868
    3⤵
    - Loads dropped DLL
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/276-160-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/612-159-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download
memory/612-142-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/1172-130-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1204-156-0x0000000004760000-0x0000000005086000-memory.dmp

Filesize
9.1MB

Download
memory/1204-161-0x0000000000400000-0x00000000027DB000-memory.dmp

Filesize
35.9MB

Download
memory/1340-134-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1340-154-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/1348-131-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1616-129-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1628-158-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/1628-141-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/1720-102-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1832-128-0x0000000000400000-0x0000000002D0E000-memory.dmp

Filesize
41.1MB

Download
memory/1832-125-0x0000000000220000-0x00000000002BD000-memory.dmp

Filesize
628KB

Download
memory/1840-132-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1900-133-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2008-60-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/2008-61-0x0000000003E80000-0x0000000003FBF000-memory.dmp

Filesize
1.2MB

Download
memory/2628-162-0x0000000000400000-0x00000000027DB000-memory.dmp

Filesize
35.9MB

Download