glupteba | da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0

General

Target

da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Size

4.2MB
MD5

0d5b6c0bc9cc1399de66b2c241459307
SHA1

14e59f873a9d48a4facccd0bf9fb4f6658be95f0
SHA256

da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0
SHA512

a6713deaea1e3bb3e0b5157180d5be154c15238f87b3d2da65b8d9d6a7d6a32cd728dfd9f4b2d52b443a8d97c5c610ba9ea3842b49880faffa8255d1d0b70a2d
SSDEEP

98304:KRpqgcnrakfp/v5EYMUDaH8BuphD4LYzqMjBd5Nmn8GbQKYrL:Ep3kfp/v59PD/kaM+MjL3ZGETL

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3516-134-0x0000000005260000-0x0000000005B4B000-memory.dmp	family_glupteba
behavioral1/memory/3516-173-0x0000000000400000-0x00000000030D0000-memory.dmp	family_glupteba
behavioral1/memory/3516-179-0x0000000000400000-0x00000000030D0000-memory.dmp	family_glupteba
behavioral1/memory/3924-208-0x0000000000400000-0x00000000030D0000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

5100 netsh.exe

pid	process
5100	netsh.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Drops file in Windows directory 1 IoCs

Processes:

da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe

description ioc process

File opened for modification C:\Windows\rss da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe

description	ioc	process
File opened for modification	C:\Windows\rss	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exeda30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exepowershell.exeda30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exepowershell.exepowershell.exe

pid	process
392	powershell.exe
392	powershell.exe
3516	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
3516	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
4172	powershell.exe
4172	powershell.exe
3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
5072	powershell.exe
5072	powershell.exe
2668	powershell.exe
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exeda30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	3516	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Token: SeImpersonatePrivilege	3516	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exeda30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.execmd.exe

description	pid	process	target process
PID 3516 wrote to memory of 392	3516	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe	powershell.exe
PID 3516 wrote to memory of 392	3516	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe	powershell.exe
PID 3516 wrote to memory of 392	3516	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe	powershell.exe
PID 3924 wrote to memory of 4172	3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe	powershell.exe
PID 3924 wrote to memory of 4172	3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe	powershell.exe
PID 3924 wrote to memory of 4172	3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe	powershell.exe
PID 3924 wrote to memory of 1288	3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe	cmd.exe
PID 3924 wrote to memory of 1288	3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe	cmd.exe
PID 1288 wrote to memory of 5100	1288	cmd.exe	netsh.exe
PID 1288 wrote to memory of 5100	1288	cmd.exe	netsh.exe
PID 3924 wrote to memory of 5072	3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe	powershell.exe
PID 3924 wrote to memory of 5072	3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe	powershell.exe
PID 3924 wrote to memory of 5072	3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe	powershell.exe
PID 3924 wrote to memory of 2668	3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe	powershell.exe
PID 3924 wrote to memory of 2668	3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe	powershell.exe
PID 3924 wrote to memory of 2668	3924	da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
"C:\Users\Admin\AppData\Local\Temp\da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Users\Admin\AppData\Local\Temp\da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe
"C:\Users\Admin\AppData\Local\Temp\da30bd435cf3667e65339532ea7752af3868b1dff163fe4a8e40998670fa56b0.exe"
2⤵
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:5100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_urnedi3r.hm5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
180d4cdfb89546416ef3928c383eeff8

SHA1
4d7eb40e8d50084ea17a51f6ac3d5cafa0442cd1

SHA256
7191b9f5f5d964e4c511730168c109b050c4a28a02f5dacb0435c291561df19d

SHA512
73a33da7f47499d834923f7de41ee6083be89c5448c3f6b48bf36313b12a738b14630a9f6a3fc3a22963806113e54e5c1489115001276b88a81f9d350cc840fe

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
1708a69ccb26bd34b77c11178b7b41a4

SHA1
45905d71c56fda4d9be908f38395996edaa7f2c2

SHA256
f8b6b6b466ff2b9b1ce00151a5a8ed4ba99a8acbafe758eb070f731ddb2db297

SHA512
98ad90f10d98f9d7e79acac4bd41da7ae1a042cedb016ec73f6b589b4a4a5b921eab6baed60bb23ba8f4693fd8de181498708eb7d693c0ac623beef4b8ab0f80

Download Submit
memory/392-175-0x0000000008530000-0x000000000854A000-memory.dmp

Filesize
104KB

Download
memory/392-141-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/392-140-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/392-176-0x0000000007DF0000-0x0000000007DF8000-memory.dmp

Filesize
32KB

Download
memory/392-138-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/392-151-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/392-152-0x00000000076A0000-0x00000000076E4000-memory.dmp

Filesize
272KB

Download
memory/392-153-0x00000000077B0000-0x0000000007826000-memory.dmp

Filesize
472KB

Download
memory/392-154-0x0000000007EB0000-0x000000000852A000-memory.dmp

Filesize
6.5MB

Download
memory/392-155-0x0000000007850000-0x000000000786A000-memory.dmp

Filesize
104KB

Download
memory/392-135-0x0000000005100000-0x0000000005136000-memory.dmp

Filesize
216KB

Download
memory/392-157-0x0000000007C10000-0x0000000007C42000-memory.dmp

Filesize
200KB

Download
memory/392-136-0x0000000005830000-0x0000000005E58000-memory.dmp

Filesize
6.2MB

Download
memory/392-159-0x0000000070720000-0x0000000070A74000-memory.dmp

Filesize
3.3MB

Download
memory/392-160-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/392-170-0x0000000007BF0000-0x0000000007C0E000-memory.dmp

Filesize
120KB

Download
memory/392-171-0x0000000007D40000-0x0000000007D4A000-memory.dmp

Filesize
40KB

Download
memory/392-172-0x0000000007E00000-0x0000000007E96000-memory.dmp

Filesize
600KB

Download
memory/392-137-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/392-174-0x0000000007DB0000-0x0000000007DBE000-memory.dmp

Filesize
56KB

Download
memory/392-156-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/392-139-0x00000000057A0000-0x00000000057C2000-memory.dmp

Filesize
136KB

Download
memory/392-158-0x0000000070580000-0x00000000705CC000-memory.dmp

Filesize
304KB

Download
memory/2668-258-0x000000007F5D0000-0x000000007F5E0000-memory.dmp

Filesize
64KB

Download
memory/2668-248-0x0000000070E40000-0x0000000071194000-memory.dmp

Filesize
3.3MB

Download
memory/2668-247-0x0000000070680000-0x00000000706CC000-memory.dmp

Filesize
304KB

Download
memory/2668-246-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/2668-245-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/3516-179-0x0000000000400000-0x00000000030D0000-memory.dmp

Filesize
44.8MB

Download
memory/3516-173-0x0000000000400000-0x00000000030D0000-memory.dmp

Filesize
44.8MB

Download
memory/3516-134-0x0000000005260000-0x0000000005B4B000-memory.dmp

Filesize
8.9MB

Download
memory/3924-208-0x0000000000400000-0x00000000030D0000-memory.dmp

Filesize
44.8MB

Download
memory/4172-204-0x000000007FB70000-0x000000007FB80000-memory.dmp

Filesize
64KB

Download
memory/4172-191-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4172-190-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4172-194-0x0000000070E20000-0x0000000071174000-memory.dmp

Filesize
3.3MB

Download
memory/4172-193-0x0000000070680000-0x00000000706CC000-memory.dmp

Filesize
304KB

Download
memory/4172-192-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/5072-209-0x0000000004600000-0x0000000004610000-memory.dmp

Filesize
64KB

Download
memory/5072-222-0x0000000070680000-0x00000000706CC000-memory.dmp

Filesize
304KB

Download
memory/5072-223-0x0000000070800000-0x0000000070B54000-memory.dmp

Filesize
3.3MB

Download
memory/5072-233-0x000000007FCC0000-0x000000007FCD0000-memory.dmp

Filesize
64KB

Download
memory/5072-221-0x0000000004600000-0x0000000004610000-memory.dmp

Filesize
64KB

Download
memory/5072-210-0x0000000004600000-0x0000000004610000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads