glupteba | 12ee6f798c7c0ade1d6f99819e7a4e714a22abb9a4c5b78506413dfc1d97eb3a

General

Target

Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Size

4.3MB
MD5

570090a065948e6d439e2b99f999f0a4
SHA1

0f2bf4aad8e12a340e37457566edb9e6816eee9e
SHA256

12ee6f798c7c0ade1d6f99819e7a4e714a22abb9a4c5b78506413dfc1d97eb3a
SHA512

37e5d43d7fb893556aff079a696e13db4b7d186576a268eeb512a86790caf9fc370e4b737a6c3cc53b46bd5c311a801f0733c9c414e0750aa28db78e6cf3ee01

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3388-115-0x0000000004380000-0x0000000004CA6000-memory.dmp	family_glupteba
behavioral2/memory/3388-116-0x0000000000400000-0x00000000021A4000-memory.dmp	family_glupteba
behavioral2/memory/2712-118-0x0000000000400000-0x00000000021A4000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3968 created 3388 3968 svchost.exe Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe

description	pid	process	target process
PID 3968 created 3388	3968	svchost.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	taskmgr.exe

Program crash 37 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3176	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
2268	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3884	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3548	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3696	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
2832	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
2648	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3280	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3864	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3948	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3868	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3792	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
4000	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3176	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
2260	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
4044	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
992	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
2832	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
2648	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
2608	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
596	3388	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3172	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3116	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3548	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3424	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
2668	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
1872	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
660	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
868	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3796	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3276	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3540	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
376	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
1040	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
1164	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
1304	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
1448	2712	WerFault.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-432 = "Iran Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time"	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exetaskmgr.exe

pid	process
3388	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
3388	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exesvchost.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3388	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Token: SeImpersonatePrivilege	3388	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
Token: SeTcbPrivilege	3968	svchost.exe
Token: SeTcbPrivilege	3968	svchost.exe
Token: SeDebugPrivilege	2276	taskmgr.exe
Token: SeSystemProfilePrivilege	2276	taskmgr.exe
Token: SeCreateGlobalPrivilege	2276	taskmgr.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

taskmgr.exe

pid	process
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe

Suspicious use of SendNotifyMessage 46 IoCs

Processes:

taskmgr.exe

pid	process
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 3968 wrote to memory of 2712	3968	svchost.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
PID 3968 wrote to memory of 2712	3968	svchost.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
PID 3968 wrote to memory of 2712	3968	svchost.exe	Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe

C:\Users\Admin\AppData\Local\Temp\Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
"C:\Users\Admin\AppData\Local\Temp\Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 392
2⤵
- Program crash
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 380
2⤵
- Program crash
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 432
2⤵
- Program crash
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 588
2⤵
- Program crash
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 664
2⤵
- Program crash
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 700
2⤵
- Program crash
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 652
2⤵
- Program crash
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 712
2⤵
- Program crash
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 788
2⤵
- Program crash
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 680
2⤵
- Program crash
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 724
2⤵
- Program crash
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 664
2⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 796
2⤵
- Program crash
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 712
2⤵
- Program crash
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 552
2⤵
- Program crash
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 728
2⤵
- Program crash
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 764
2⤵
- Program crash
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 624
2⤵
- Program crash
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 724
2⤵
- Program crash
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 868
2⤵
- Program crash
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 916
2⤵
- Program crash
PID:596

C:\Users\Admin\AppData\Local\Temp\Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe
"C:\Users\Admin\AppData\Local\Temp\Latex+A5+Booklet+Template-PLND-ABMwKmEcmwAABTwCAEdCFwASAN3i2g8A.exe"
2⤵
- Modifies data under HKEY_USERS
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 352
3⤵
- Program crash
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 336
3⤵
- Program crash
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 392
3⤵
- Program crash
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 596
3⤵
- Program crash
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 632
3⤵
- Program crash
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 668
3⤵
- Program crash
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 580
3⤵
- Program crash
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 680
3⤵
- Program crash
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 756
3⤵
- Program crash
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 640
3⤵
- Program crash
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 780
3⤵
- Program crash
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 752
3⤵
- Program crash
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 572
3⤵
- Program crash
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 688
3⤵
- Program crash
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 828
3⤵
- Program crash
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1008
3⤵
- Program crash
PID:1448

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2712-117-0x0000000000000000-mapping.dmp

Download
memory/2712-118-0x0000000000400000-0x00000000021A4000-memory.dmp

Filesize
29.6MB

Download
memory/3388-115-0x0000000004380000-0x0000000004CA6000-memory.dmp

Filesize
9.1MB

Download
memory/3388-116-0x0000000000400000-0x00000000021A4000-memory.dmp

Filesize
29.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads