glupteba | d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43

General

Target

d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Size

6.6MB
MD5

647df9da3457d9c1b936502d4df8c3c4
SHA1

8680cb73bacce533df5afeb5f62fd63f75094bd1
SHA256

d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43
SHA512

6dbb3c179ed2c087788e1a25a2b48e9bc5dcd47d34b8e6768f4ee49acf66c55b9724d79e4d5a801fd84ff9e43e9c733f38dfa436ec320bf836e432bda4b2d455

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1772-132-0x0000000005D30000-0x0000000006400000-memory.dmp	family_glupteba
behavioral2/memory/1772-133-0x0000000000400000-0x0000000002EAA000-memory.dmp	family_glupteba
behavioral2/memory/1772-135-0x0000000000400000-0x0000000002EAA000-memory.dmp	family_glupteba
behavioral2/memory/4924-138-0x0000000000400000-0x0000000002EAA000-memory.dmp	family_glupteba
behavioral2/memory/4924-141-0x0000000000400000-0x0000000002EAA000-memory.dmp	family_glupteba
behavioral2/memory/4924-147-0x0000000000400000-0x0000000002EAA000-memory.dmp	family_glupteba
behavioral2/memory/2928-150-0x0000000006300000-0x00000000069D0000-memory.dmp	family_glupteba
behavioral2/memory/2928-151-0x0000000000400000-0x0000000002EAA000-memory.dmp	family_glupteba
behavioral2/memory/2928-152-0x0000000000400000-0x0000000002EAA000-memory.dmp	family_glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2084 created 1772 2084 svchost.exe d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

4004 netsh.exe
4676 netsh.exe

description	pid	process	target process
PID 2084 created 1772	2084	svchost.exe	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe

pid	process
4004	netsh.exe
4676	netsh.exe

Modifies data under HKEY_USERS 56 IoCs

Processes:

d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exed08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe

pid	process
1772	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
1772	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
1772	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
1772	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
1772	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
1772	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
1772	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
1772	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
4924	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
4924	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
4924	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
4924	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1772	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Token: SeImpersonatePrivilege	1772	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
Token: SeTcbPrivilege	2084	svchost.exe
Token: SeTcbPrivilege	2084	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 2084 wrote to memory of 4924	2084	svchost.exe	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
PID 2084 wrote to memory of 4924	2084	svchost.exe	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
PID 2084 wrote to memory of 4924	2084	svchost.exe	d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe

C:\Users\Admin\AppData\Local\Temp\d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
"C:\Users\Admin\AppData\Local\Temp\d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Users\Admin\AppData\Local\Temp\d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe
"C:\Users\Admin\AppData\Local\Temp\d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43.exe"
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:4828

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"
3⤵
PID:3992

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4676

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
6.6MB

MD5
647df9da3457d9c1b936502d4df8c3c4

SHA1
8680cb73bacce533df5afeb5f62fd63f75094bd1

SHA256
d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43

SHA512
6dbb3c179ed2c087788e1a25a2b48e9bc5dcd47d34b8e6768f4ee49acf66c55b9724d79e4d5a801fd84ff9e43e9c733f38dfa436ec320bf836e432bda4b2d455

Download Submit
C:\Windows\rss\csrss.exe
Filesize
6.6MB

MD5
647df9da3457d9c1b936502d4df8c3c4

SHA1
8680cb73bacce533df5afeb5f62fd63f75094bd1

SHA256
d08cb58398f9084596b17e7a96338ec8b921b2cc748107c22ccc8ea38572fb43

SHA512
6dbb3c179ed2c087788e1a25a2b48e9bc5dcd47d34b8e6768f4ee49acf66c55b9724d79e4d5a801fd84ff9e43e9c733f38dfa436ec320bf836e432bda4b2d455

Download Submit
memory/1772-131-0x0000000005856000-0x0000000005BEE000-memory.dmp

Filesize
3.6MB

Download
memory/1772-132-0x0000000005D30000-0x0000000006400000-memory.dmp

Filesize
6.8MB

Download
memory/1772-133-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/1772-130-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/1772-135-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/2928-152-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/2928-150-0x0000000006300000-0x00000000069D0000-memory.dmp

Filesize
6.8MB

Download
memory/2928-149-0x0000000005E00000-0x0000000006198000-memory.dmp

Filesize
3.6MB

Download
memory/2928-148-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/2928-151-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/2928-153-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/2928-144-0x0000000000000000-mapping.dmp

Download
memory/3992-142-0x0000000000000000-mapping.dmp

Download
memory/4004-140-0x0000000000000000-mapping.dmp

Download
memory/4676-143-0x0000000000000000-mapping.dmp

Download
memory/4828-139-0x0000000000000000-mapping.dmp

Download
memory/4924-141-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/4924-147-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/4924-138-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/4924-137-0x000000000588D000-0x0000000005C25000-memory.dmp

Filesize
3.6MB

Download
memory/4924-136-0x0000000000400000-0x0000000002EAA000-memory.dmp

Filesize
42.7MB

Download
memory/4924-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads