glupteba | 5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32

General

Target

5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Size

4.3MB
MD5

155b6831c5e93352df25dc91730acc31
SHA1

222ff9a86989568abd0dcacedfe97f3cde4cd7ca
SHA256

5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32
SHA512

ef9ee9d5c85948459b68e0f3413dbbb44dd5a6e2fe005f70046d346ac6d963edeeecb9ff7cf290d32a63fb172a1fca1cfd70c17b6ee602ffcbbe8fdc6d961b31

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4016-114-0x0000000003280000-0x0000000003B9E000-memory.dmp	family_glupteba
behavioral1/memory/4016-115-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies data under HKEY_USERS 64 IoCs

Processes:

5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe

pid	process
4016	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
4016	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe

description	pid	process
Token: SeDebugPrivilege	4016	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
Token: SeImpersonatePrivilege	4016	5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe

C:\Users\Admin\AppData\Local\Temp\5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
"C:\Users\Admin\AppData\Local\Temp\5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Users\Admin\AppData\Local\Temp\5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe
"C:\Users\Admin\AppData\Local\Temp\5db696e6c30d99085b3f446e2713b5b2903e47c584b935ebc8d1b3a8e0312e32.exe"
2⤵
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:2248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4016-114-0x0000000003280000-0x0000000003B9E000-memory.dmp

Filesize
9.1MB

Download
memory/4016-115-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads