glupteba | 4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72

Analysis

max time kernel
31s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 20:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Size

4.2MB
MD5

0f73633551a771f0f0ed9a05e5c875c1
SHA1

4f77354ee40b9d9e26bf024dad6e9be104ed231b
SHA256

4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72
SHA512

eca92668a1a5611802622dde73ce7edc11f887fe3385812cc1745e90bb704ef55dc406732316e7b13c6e5a6797a469db29bb0a19beb3b46c0bb42cef1a1d0f57
SSDEEP

98304:HGoU4x8bDW9DNb2NlBvz6S8NiWHRpoeh/Ma/EZMT:c4J9NaDBvfMxd/5

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

resource	yara_rule
behavioral1/memory/2484-1-0x0000000004B20000-0x000000000540B000-memory.dmp	family_glupteba
behavioral1/memory/2484-2-0x0000000000400000-0x0000000002818000-memory.dmp	family_glupteba
behavioral1/memory/2484-22-0x0000000004B20000-0x000000000540B000-memory.dmp	family_glupteba
behavioral1/memory/2484-24-0x0000000000400000-0x0000000002818000-memory.dmp	family_glupteba
behavioral1/memory/2484-54-0x0000000000400000-0x0000000002818000-memory.dmp	family_glupteba
behavioral1/memory/2160-55-0x0000000000400000-0x0000000002818000-memory.dmp	family_glupteba
behavioral1/memory/2160-80-0x0000000000400000-0x0000000002818000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4128	netsh.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4828	2484	WerFault.exe	80

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
740	powershell.exe
740	powershell.exe
2484	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
2484	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
3028	powershell.exe
3028	powershell.exe
2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	2484	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Token: SeImpersonatePrivilege	2484	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
Token: SeDebugPrivilege	3028	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 740	2484	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe	85
PID 2484 wrote to memory of 740	2484	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe	85
PID 2484 wrote to memory of 740	2484	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe	85
PID 2160 wrote to memory of 3028	2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe	95
PID 2160 wrote to memory of 3028	2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe	95
PID 2160 wrote to memory of 3028	2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe	95
PID 2160 wrote to memory of 408	2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe	99
PID 2160 wrote to memory of 408	2160	4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe	99
PID 408 wrote to memory of 4128	408	cmd.exe	100
PID 408 wrote to memory of 4128	408	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
"C:\Users\Admin\AppData\Local\Temp\4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Users\Admin\AppData\Local\Temp\4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe
  "C:\Users\Admin\AppData\Local\Temp\4b664bcadb007b5862b97e11c6f0ba21397b78c7dc5361512c82ff42b4e06a72.exe"
  2⤵
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4128
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:5008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 1000
  2⤵
  - Program crash
  PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2484 -ip 2484
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dr33hy0a.cpt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2038ebebc3c8cf8a3fb6926bb6f3d87a

SHA1
c3e2febfdbd9f4024c2e4a7c74de3627f5e27d6b

SHA256
3c49c02c6750fee1f3b283312eb83c7bc6daaedcfb9ada93719928ed11195dfe

SHA512
79980d7b4dac47e4d0ec6748d961756a7424c32e8c6654f68ba7e371c2f217f84c9db473e03546856620a674303440d8dbbed94e611f9ecfd50303cb58e14f4f

Download Submit
memory/740-23-0x0000000006150000-0x0000000006194000-memory.dmp

Filesize
272KB

Download
memory/740-31-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/740-5-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/740-6-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/740-7-0x0000000004DC0000-0x00000000053E8000-memory.dmp

Filesize
6.2MB

Download
memory/740-8-0x0000000004C10000-0x0000000004C32000-memory.dmp

Filesize
136KB

Download
memory/740-9-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/740-10-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/740-3-0x0000000004620000-0x0000000004656000-memory.dmp

Filesize
216KB

Download
memory/740-49-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

Filesize
104KB

Download
memory/740-21-0x0000000005B50000-0x0000000005B6E000-memory.dmp

Filesize
120KB

Download
memory/740-48-0x0000000007320000-0x000000000732E000-memory.dmp

Filesize
56KB

Download
memory/740-53-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/740-50-0x0000000007400000-0x0000000007408000-memory.dmp

Filesize
32KB

Download
memory/740-4-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/740-28-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/740-26-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/740-29-0x0000000007420000-0x0000000007A9A000-memory.dmp

Filesize
6.5MB

Download
memory/740-30-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

Filesize
104KB

Download
memory/740-27-0x0000000006D20000-0x0000000006D96000-memory.dmp

Filesize
472KB

Download
memory/740-32-0x0000000007170000-0x00000000071A2000-memory.dmp

Filesize
200KB

Download
memory/740-33-0x0000000070470000-0x00000000704BC000-memory.dmp

Filesize
304KB

Download
memory/740-34-0x00000000705F0000-0x0000000070944000-memory.dmp

Filesize
3.3MB

Download
memory/740-44-0x0000000007150000-0x000000000716E000-memory.dmp

Filesize
120KB

Download
memory/740-45-0x00000000072A0000-0x00000000072AA000-memory.dmp

Filesize
40KB

Download
memory/740-46-0x0000000007360000-0x00000000073F6000-memory.dmp

Filesize
600KB

Download
memory/740-47-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/2160-55-0x0000000000400000-0x0000000002818000-memory.dmp

Filesize
36.1MB

Download
memory/2160-80-0x0000000000400000-0x0000000002818000-memory.dmp

Filesize
36.1MB

Download
memory/2484-20-0x0000000004720000-0x0000000004B18000-memory.dmp

Filesize
4.0MB

Download
memory/2484-0-0x0000000004720000-0x0000000004B18000-memory.dmp

Filesize
4.0MB

Download
memory/2484-54-0x0000000000400000-0x0000000002818000-memory.dmp

Filesize
36.1MB

Download
memory/2484-22-0x0000000004B20000-0x000000000540B000-memory.dmp

Filesize
8.9MB

Download
memory/2484-24-0x0000000000400000-0x0000000002818000-memory.dmp

Filesize
36.1MB

Download
memory/2484-1-0x0000000004B20000-0x000000000540B000-memory.dmp

Filesize
8.9MB

Download
memory/2484-2-0x0000000000400000-0x0000000002818000-memory.dmp

Filesize
36.1MB

Download
memory/3028-56-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/3028-69-0x0000000070570000-0x00000000705BC000-memory.dmp

Filesize
304KB

Download
memory/3028-70-0x0000000070D10000-0x0000000071064000-memory.dmp

Filesize
3.3MB

Download
memory/3028-68-0x000000007FCB0000-0x000000007FCC0000-memory.dmp

Filesize
64KB

Download
memory/3028-84-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/3028-67-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/3028-57-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/5008-87-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/5008-86-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download