glupteba | d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43

General

Target

d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Size

6.6MB
MD5

647df9da3457d9c1b936502d4df8c3c4
SHA1

8680cb73bacce533df5afeb5f62fd63f75094bd1
SHA256

d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43
SHA512

6dbb3c179ed2c087788e1a25a2b48e9bc5dcd47d34b8e6768f4ee49acf66c55b9724d79e4d5a801fd84ff9e43e9c733f38dfa436ec320bf836e432bda4b2d455

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/888-57-0x0000000005A40000-0x0000000006110000-memory.dmp	family_glupteba
behavioral1/memory/888-58-0x0000000000400000-0x0000000002EAA000-memory.dmp	family_glupteba
behavioral1/memory/888-59-0x0000000000400000-0x0000000002EAA000-memory.dmp	family_glupteba
behavioral1/memory/888-60-0x0000000000400000-0x0000000002EAA000-memory.dmp	family_glupteba
behavioral1/memory/1512-67-0x0000000000400000-0x0000000002EAA000-memory.dmp	family_glupteba
behavioral1/memory/1512-72-0x0000000000400000-0x0000000002EAA000-memory.dmp	family_glupteba
behavioral1/memory/1512-73-0x0000000037270000-0x0000000039D1A000-memory.dmp	family_glupteba
behavioral1/memory/408-77-0x0000000000400000-0x0000000002EAA000-memory.dmp	family_glupteba
behavioral1/memory/408-78-0x0000000000400000-0x0000000002EAA000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

880 netsh.exe

pid	process
880	netsh.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exed08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe

pid	process
888	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
888	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
888	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
888	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
1512	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
1512	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe

description	pid	process
Token: SeDebugPrivilege	888	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Token: SeImpersonatePrivilege	888	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe

C:\Users\Admin\AppData\Local\Temp\d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
"C:\Users\Admin\AppData\Local\Temp\d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Users\Admin\AppData\Local\Temp\d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
"C:\Users\Admin\AppData\Local\Temp\d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe"
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:1984

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:880

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:408

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220731114037.log C:\Windows\Logs\CBS\CbsPersist_20220731114037.cab
1⤵
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
6.6MB

MD5
647df9da3457d9c1b936502d4df8c3c4

SHA1
8680cb73bacce533df5afeb5f62fd63f75094bd1

SHA256
d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43

SHA512
6dbb3c179ed2c087788e1a25a2b48e9bc5dcd47d34b8e6768f4ee49acf66c55b9724d79e4d5a801fd84ff9e43e9c733f38dfa436ec320bf836e432bda4b2d455

Download Submit
\Windows\rss\csrss.exe
Filesize
6.6MB

MD5
647df9da3457d9c1b936502d4df8c3c4

SHA1
8680cb73bacce533df5afeb5f62fd63f75094bd1

SHA256
d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43

SHA512
6dbb3c179ed2c087788e1a25a2b48e9bc5dcd47d34b8e6768f4ee49acf66c55b9724d79e4d5a801fd84ff9e43e9c733f38dfa436ec320bf836e432bda4b2d455

Download Submit
\Windows\rss\csrss.exe
Filesize
6.6MB

MD5
647df9da3457d9c1b936502d4df8c3c4

SHA1
8680cb73bacce533df5afeb5f62fd63f75094bd1

SHA256
d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43

SHA512
6dbb3c179ed2c087788e1a25a2b48e9bc5dcd47d34b8e6768f4ee49acf66c55b9724d79e4d5a801fd84ff9e43e9c733f38dfa436ec320bf836e432bda4b2d455

Download Submit
memory/408-78-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/408-77-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/408-76-0x0000000005530000-0x00000000058C8000-memory.dmp

Filesize
3.6MB

Download
memory/408-75-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/408-74-0x0000000005530000-0x00000000059FA000-memory.dmp

Filesize
4.8MB

Download
memory/408-70-0x0000000000000000-mapping.dmp

Download
memory/880-65-0x0000000000000000-mapping.dmp

Download
memory/880-66-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/888-60-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/888-59-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/888-55-0x0000000005570000-0x0000000005A3A000-memory.dmp

Filesize
4.8MB

Download
memory/888-56-0x0000000005570000-0x0000000005908000-memory.dmp

Filesize
3.6MB

Download
memory/888-57-0x0000000005A40000-0x0000000006110000-memory.dmp

Filesize
6.8MB

Download
memory/888-58-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/888-54-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/1512-62-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/1512-73-0x0000000037270000-0x0000000039D1A000-memory.dmp

Filesize
42.7MB

Download
memory/1512-72-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/1512-61-0x0000000005540000-0x0000000005A0A000-memory.dmp

Filesize
4.8MB

Download
memory/1512-64-0x0000000005540000-0x00000000058D8000-memory.dmp

Filesize
3.6MB

Download
memory/1512-67-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/1984-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads