glupteba | 2f60509db3097dd3055cb05f24028d05e42c5a078fd991d2baa6db1a3e1a7713

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab99af2866f3e87cbf63d9c3200b88c16cadb2127cc1b59b788c28cfa53d33cc.exe
Size

38KB
MD5

3766ae21daf5a63d48270894d2d264c4
SHA1

3e457366fcc4a8434ad441e965fa060a453bfd8b
SHA256

ab99af2866f3e87cbf63d9c3200b88c16cadb2127cc1b59b788c28cfa53d33cc
SHA512

b28b619a897dd970ef642b7d1f92c22495e2bfeefc76cf9b4f2d403af0988595c6ca9d9e7408529eaba980b9f28a1d484705b65d2fc90bfd7dbc08f0d6a64b55
SSDEEP

768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

Score

10^/10

glupteba smokeloader zgrat up3 backdoor discovery dropper evasion loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\D3F3.exe	family_zgrat_v1
behavioral1/memory/780-18-0x0000000000840000-0x00000000008D4000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2796-276-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2796-278-0x0000000002B00000-0x00000000033EB000-memory.dmp	family_glupteba
behavioral1/memory/564-298-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2628 netsh.exe
Deletes itself 1 IoCs

Processes:

pid process

1288

pid	process
2628	netsh.exe

pid	process
1288

Executes dropped EXE 13 IoCs

Processes:

7253.exeD3F3.exeInstallSetup8.exetoolspub2.exe31839b57a4f11171d6abc8bbc4451ee4.exetuc4.exetoolspub2.exeBroomSetup.exeetopt.exetuc4.tmp31839b57a4f11171d6abc8bbc4451ee4.exensu175B.tmp.execsrss.exe

pid	process
2300	7253.exe
780	D3F3.exe
2680	InstallSetup8.exe
2784	toolspub2.exe
2796	31839b57a4f11171d6abc8bbc4451ee4.exe
2848	tuc4.exe
2852	toolspub2.exe
1396	BroomSetup.exe
3016	etopt.exe
1028	tuc4.tmp
564	31839b57a4f11171d6abc8bbc4451ee4.exe
1504	nsu175B.tmp.exe
1580	csrss.exe

Loads dropped DLL 23 IoCs

Processes:

7253.exetoolspub2.exeInstallSetup8.exetuc4.exeetopt.exetuc4.tmp31839b57a4f11171d6abc8bbc4451ee4.exe

pid	process
2300	7253.exe
2300	7253.exe
2300	7253.exe
2300	7253.exe
2300	7253.exe
2784	toolspub2.exe
2300	7253.exe
2680	InstallSetup8.exe
2300	7253.exe
2848	tuc4.exe
2680	InstallSetup8.exe
3016	etopt.exe
3016	etopt.exe
1028	tuc4.tmp
1028	tuc4.tmp
1028	tuc4.tmp
1028	tuc4.tmp
2680	InstallSetup8.exe
2680	InstallSetup8.exe
2680	InstallSetup8.exe
2680	InstallSetup8.exe
564	31839b57a4f11171d6abc8bbc4451ee4.exe
564	31839b57a4f11171d6abc8bbc4451ee4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

etopt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32\ThreadingModel = "Apartment"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32\ThreadingModel = "Apartment"	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32\ThreadingModel = "Apartment"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\FineNet.dll"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\FineNet.dll"	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{1F840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{2E840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\FineNet.dll"	etopt.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org

flow	ioc
11	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

D3F3.exetoolspub2.exe

description	pid	process	target process
PID 780 set thread context of 1668	780	D3F3.exe	RegAsm.exe
PID 2784 set thread context of 2852	2784	toolspub2.exe	toolspub2.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 63 IoCs

Processes:

tuc4.tmpetopt.exe

description	ioc	process
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-F8AQT.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-RSFGM.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-RR28Q.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-N21SS.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-KJ2I1.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-Q9COK.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-E1F2M.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-MLTQC.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-0POEB.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-7IVAL.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ClocX\Lang\Arabic.lng	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-2IJT0.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-I7PQB.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\lessmsi\is-1JCTR.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-UFRUS.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-RSKDL.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-MGKBK.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-Q9A0K.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-M6183.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\plugins\internal\is-GMALT.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ClocX\Lang\Afrikaans.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Bosanski.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Brazilian Portuguese.lng	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-LULAJ.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-B94L1.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\is-8LTFU.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-CF1D5.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-USB1L.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-I137L.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\stuff\is-PSOSS.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-1AS4B.tmp	tuc4.tmp
File created	C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\unins000.dat	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-N4U50.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-GHOND.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-FLK50.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-MEJ3D.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-OESVR.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-1D2ER.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-57FVV.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\stuff\is-EBKI0.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-E6I31.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-67ARK.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\plugins\internal\is-CHOS1.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\stuff\is-1VR7I.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-HIV2Q.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-D31EC.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-EAUA0.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-G11CC.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ClocX\Lang\Bulgarian.lng	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-K3LD0.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-94LJE.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-MRPGU.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-QF245.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-NIU85.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ClocX\ClocX.exe	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-VF38C.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-ASN6C.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-1I11O.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-23FGD.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-BG10K.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ClocX\BackupAlarms.bat	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-F0FT8.tmp	tuc4.tmp

Drops file in Windows directory 4 IoCs

Processes:

etopt.exe31839b57a4f11171d6abc8bbc4451ee4.exemakecab.exe

description	ioc	process
File created	C:\Windows\servicing\Editions\FineNet.dll	etopt.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231228012241.cab	makecab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ab99af2866f3e87cbf63d9c3200b88c16cadb2127cc1b59b788c28cfa53d33cc.exetoolspub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ab99af2866f3e87cbf63d9c3200b88c16cadb2127cc1b59b788c28cfa53d33cc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ab99af2866f3e87cbf63d9c3200b88c16cadb2127cc1b59b788c28cfa53d33cc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ab99af2866f3e87cbf63d9c3200b88c16cadb2127cc1b59b788c28cfa53d33cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nsu175B.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsu175B.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsu175B.tmp.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies registry class 22 IoCs

Processes:

etopt.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{1F840EA0-D483-D156-50AB-8BB0D854D311}	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\FineNet.dll"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\FineNet.dll"	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F840EA0-D483-D156-50AB-8BB0D854D311}	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\FineNet.dll"	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{2E840EA0-D483-D156-50AB-8BB0D854D311}	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A840EA0-D483-D156-50AB-8BB0D854D311}	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\SharingEx\ = "{2E840EA0-D483-D156-50AB-8BB0D854D311}"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32\ThreadingModel = "Apartment"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1A840EA0-D483-D156-50AB-8BB0D854D311}"	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\SharingEx	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32\ThreadingModel = "Apartment"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32\ThreadingModel = "Apartment"	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{1F840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E840EA0-D483-D156-50AB-8BB0D854D311}	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{2E840EA0-D483-D156-50AB-8BB0D854D311}\InProcServer32	etopt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ab99af2866f3e87cbf63d9c3200b88c16cadb2127cc1b59b788c28cfa53d33cc.exe

pid	process
2144	ab99af2866f3e87cbf63d9c3200b88c16cadb2127cc1b59b788c28cfa53d33cc.exe
2144	ab99af2866f3e87cbf63d9c3200b88c16cadb2127cc1b59b788c28cfa53d33cc.exe
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288
1288

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ab99af2866f3e87cbf63d9c3200b88c16cadb2127cc1b59b788c28cfa53d33cc.exetoolspub2.exe

pid process

2144 ab99af2866f3e87cbf63d9c3200b88c16cadb2127cc1b59b788c28cfa53d33cc.exe
2852 toolspub2.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	pid	process
Token: SeShutdownPrivilege	1288
Token: SeShutdownPrivilege	1288
Token: SeShutdownPrivilege	1288
Token: SeShutdownPrivilege	1288
Token: SeShutdownPrivilege	1288
Token: SeShutdownPrivilege	1288
Token: SeShutdownPrivilege	1288
Token: SeDebugPrivilege	2796	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	2796	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

tuc4.tmp

pid process

1288
1288
1028 tuc4.tmp
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1288
1288
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BroomSetup.exe

pid process

1396 BroomSetup.exe

pid	process
1288
1288
1028	tuc4.tmp

pid	process
1288
1288

pid	process
1396	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

D3F3.exe7253.exetoolspub2.exeInstallSetup8.exe

description	pid	process	target process
PID 1288 wrote to memory of 2300	1288		7253.exe
PID 1288 wrote to memory of 2300	1288		7253.exe
PID 1288 wrote to memory of 2300	1288		7253.exe
PID 1288 wrote to memory of 2300	1288		7253.exe
PID 1288 wrote to memory of 780	1288		D3F3.exe
PID 1288 wrote to memory of 780	1288		D3F3.exe
PID 1288 wrote to memory of 780	1288		D3F3.exe
PID 1288 wrote to memory of 780	1288		D3F3.exe
PID 780 wrote to memory of 2772	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 2772	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 2772	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 2772	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 2772	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 2772	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 2772	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 1668	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 1668	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 1668	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 1668	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 1668	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 1668	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 1668	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 1668	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 1668	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 1668	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 1668	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 1668	780	D3F3.exe	RegAsm.exe
PID 780 wrote to memory of 1668	780	D3F3.exe	RegAsm.exe
PID 2300 wrote to memory of 2680	2300	7253.exe	InstallSetup8.exe
PID 2300 wrote to memory of 2680	2300	7253.exe	InstallSetup8.exe
PID 2300 wrote to memory of 2680	2300	7253.exe	InstallSetup8.exe
PID 2300 wrote to memory of 2680	2300	7253.exe	InstallSetup8.exe
PID 2300 wrote to memory of 2680	2300	7253.exe	InstallSetup8.exe
PID 2300 wrote to memory of 2680	2300	7253.exe	InstallSetup8.exe
PID 2300 wrote to memory of 2680	2300	7253.exe	InstallSetup8.exe
PID 2300 wrote to memory of 2784	2300	7253.exe	toolspub2.exe
PID 2300 wrote to memory of 2784	2300	7253.exe	toolspub2.exe
PID 2300 wrote to memory of 2784	2300	7253.exe	toolspub2.exe
PID 2300 wrote to memory of 2784	2300	7253.exe	toolspub2.exe
PID 2300 wrote to memory of 2796	2300	7253.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2300 wrote to memory of 2796	2300	7253.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2300 wrote to memory of 2796	2300	7253.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2300 wrote to memory of 2796	2300	7253.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2784 wrote to memory of 2852	2784	toolspub2.exe	toolspub2.exe
PID 2784 wrote to memory of 2852	2784	toolspub2.exe	toolspub2.exe
PID 2784 wrote to memory of 2852	2784	toolspub2.exe	toolspub2.exe
PID 2784 wrote to memory of 2852	2784	toolspub2.exe	toolspub2.exe
PID 2784 wrote to memory of 2852	2784	toolspub2.exe	toolspub2.exe
PID 2784 wrote to memory of 2852	2784	toolspub2.exe	toolspub2.exe
PID 2300 wrote to memory of 2848	2300	7253.exe	tuc4.exe
PID 2300 wrote to memory of 2848	2300	7253.exe	tuc4.exe
PID 2300 wrote to memory of 2848	2300	7253.exe	tuc4.exe
PID 2300 wrote to memory of 2848	2300	7253.exe	tuc4.exe
PID 2300 wrote to memory of 2848	2300	7253.exe	tuc4.exe
PID 2300 wrote to memory of 2848	2300	7253.exe	tuc4.exe
PID 2300 wrote to memory of 2848	2300	7253.exe	tuc4.exe
PID 2784 wrote to memory of 2852	2784	toolspub2.exe	toolspub2.exe
PID 2680 wrote to memory of 1396	2680	InstallSetup8.exe	BroomSetup.exe
PID 2680 wrote to memory of 1396	2680	InstallSetup8.exe	BroomSetup.exe
PID 2680 wrote to memory of 1396	2680	InstallSetup8.exe	BroomSetup.exe
PID 2680 wrote to memory of 1396	2680	InstallSetup8.exe	BroomSetup.exe
PID 2680 wrote to memory of 1396	2680	InstallSetup8.exe	BroomSetup.exe
PID 2680 wrote to memory of 1396	2680	InstallSetup8.exe	BroomSetup.exe
PID 2680 wrote to memory of 1396	2680	InstallSetup8.exe	BroomSetup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ab99af2866f3e87cbf63d9c3200b88c16cadb2127cc1b59b788c28cfa53d33cc.exe
"C:\Users\Admin\AppData\Local\Temp\ab99af2866f3e87cbf63d9c3200b88c16cadb2127cc1b59b788c28cfa53d33cc.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2144

C:\Users\Admin\AppData\Local\Temp\7253.exe
C:\Users\Admin\AppData\Local\Temp\7253.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Users\Admin\AppData\Local\Temp\nsu175B.tmp.exe
C:\Users\Admin\AppData\Local\Temp\nsu175B.tmp.exe
3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1504

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2852

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:564

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:1488

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2628

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\AppData\Local\Temp\etopt.exe
"C:\Users\Admin\AppData\Local\Temp\etopt.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3016

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848

C:\Users\Admin\AppData\Local\Temp\D3F3.exe
C:\Users\Admin\AppData\Local\Temp\D3F3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\is-5VIB9.tmp\tuc4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5VIB9.tmp\tuc4.tmp" /SL5="$A0124,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1028

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231228012241.log C:\Windows\Logs\CBS\CbsPersist_20231228012241.cab
1⤵
- Drops file in Windows directory
PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7253.exe
Filesize
18.0MB

MD5
00ccb6af919b7b1bba50749cb0a46990

SHA1
368bf6b70b180575e85118dc55192e87941c6b3c

SHA256
9ebac5afeadb6c24cd4b73be884fd48411029c118d0477799306961df61437ec

SHA512
84f27822c6cd87b55074baae88b65d583ce93a147cee0633d683ad13a240a56249feb9c7b651ba31a8a04e8d9a5d85c0ff139015c48d7d2ba01b9562c2895349

Download Submit
C:\Users\Admin\AppData\Local\Temp\7253.exe
Filesize
18.8MB

MD5
ed2fd5173af900c56220101ce6648515

SHA1
d8783b8dc155314c5680aebddd4e36df7ddfebbf

SHA256
ff3022cc92fd5e0eb46d34568825a3d914a3ce7d24cea60660cdb3247956f098

SHA512
ef7bac0140e2e492a4d1751d9a6d1fe6ec94649bd6a00006f159a067b774ee8870d567e0fae2e08ebf16db3d11c2dfe2fcf5884d7d27d74fdba34781500f9806

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3F3.exe
Filesize
567KB

MD5
1a344159928228af15c9bd838c73e319

SHA1
07295709b38bf6bab750669e09dfe4671e03a345

SHA256
50cb0c5541343e8b900ddc1cb400a91d95a1ecd7d70ef0195d7c875ce7225321

SHA512
289ae9c41d6a535e576da4780b195a6bb79cd10ca9eedf4f39b9bb8d46931443924ed3e9524abc54c10cb7b3603ba218ba200ad6a90e80481126d4cd8d996c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu175B.tmp.exe
Filesize
190KB

MD5
b13ce214734468322ab7f8ce41a62791

SHA1
2213e52a853fe5627ff751776c7fa59a3c16d213

SHA256
afee48df1ad859f7ec86c3157c6c594526615b7f805977c99c107e04c593aaa2

SHA512
3b4859e3fbc1c85d7107b1013daa81e9c6651bedfd58d54e3cf13fd6f6be9fee7f58d88229c49b6ae13ffde2e059fb22e8ff9e804f82564a9048b1e167c7b282

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
92KB

MD5
34a8ce442674425ae01d01e7f4c88bcb

SHA1
d7d30970aa75ce1271402a0adae465fe1f9995c9

SHA256
7a084687df35c670ce06698e719664a55198c43660d47fc8fb16afda7ac59062

SHA512
9ddecb5b6827a1aff9682cc442d03a9a711dadf2325a4e3044eb3e8b3b465f0bfbf61b916408da1cc84585185c2794a80d1c636a7646441ed2f104fea6386ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
283KB

MD5
2d24e3baa2a16e47bee10e91381e6391

SHA1
013b59b2cd69e93694196dfb34fddc8684cfd619

SHA256
ff2e975c649d66476c48ac9fe64455eb0727fede676d000728d09d62d2dc6db4

SHA512
be515895b29390e1c9c44620f7b18c8ae57d08627b8bbf7484b551ccf079011f95baa78e71c1a2a6280b544dd06444b509b7c9ba126b525d813afd68010b03e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
362KB

MD5
d7396bd98a1b6c4f5fc905cdf1e1157e

SHA1
10affd1309790f06a7d6ae8bafaee20b38ecad42

SHA256
7aec31eb74ace47e588b6b7fa5fc83d1e59a7cab9c5ab895d49bf66f087b39b3

SHA512
d3730f5f3cbf5e8bb9f79f92ac26ecc62507650ad00d1b4d72baff53ea5cfa0bb8b440fab28816e4dcc31fcd67e16fc0df4e2ef51528c5556609286f053f05a1

Download Submit
C:\Windows\rss\csrss.exe
Filesize
52KB

MD5
4e98cf8f8593cce990e98af61b409a0f

SHA1
dd17cac57ed495d426833b8c0543e34de3e61511

SHA256
895adde54c2380045dabfc3cb3909acfaf199753c64683c4825bb5a374a1f852

SHA512
c605f1b4138e11b5a0af295fd5a133048b5e51d28188785a04f0bcfff5db5c35395454d3715590cb7516390e50e4a22c717fd54cceca9b4c80568546afe5a3dd

Download Submit
C:\Windows\rss\csrss.exe
Filesize
811KB

MD5
f46e2e6c364a2e375b6c85249a3cb6eb

SHA1
0d87498fe7c06b0cb860c835364863c65f69ee6b

SHA256
837abb9bc6576bf128938025b33af393f070a791053d06358cf1262f12a220a8

SHA512
812681e19041c25cd2b293e0aad48d961fd85006ea37ce01a7690fd9b74a07e76e1560fd11e7960321c3c7f2fa5fe3c3aea4555dc78e6cfc034dfac71e279b3f

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
66KB

MD5
e07324dd997722a276caf449d13be3c4

SHA1
ff3cbf7ec89a3f8ca5b083c90a876aa2811fb079

SHA256
d16e618a5c99ecc998a78cee3f0e35bc11f75b4b6cddb080c6fbcd354eaad4f6

SHA512
f57aef74623f3a1a73de00c1a3eb2a1716746a89ed4d60cb628f763effa72d05a806baa786f76e263c503bcb09b52d4be8803532e493e7f86468aafbc557ebff

Download Submit
\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
926KB

MD5
cc00a951a7c17066195ef2e48f3d594f

SHA1
b12519f9fdbba22c447e8a69181571aa84b85f75

SHA256
8cd30929f1b01555d461ec7d85cb574c6ed0d0d135b8ea2bd7d75c2f7ae091c3

SHA512
61ac35017547385d588d39525092d31ea283bddb0a1ffdebf78fef792b866b47eae74d5705b2bafe262fde17d529fda43c71f7e22b2299966372a452481045f9

Download Submit
\Windows\rss\csrss.exe
Filesize
132KB

MD5
5927ccfae57f97d4468d1b3bef72aa39

SHA1
511ccfa7cb875db77e56d3ad9c06308317883dbb

SHA256
560a9e1cacdd141a6ba369d6b084434685c4795093b6f3da6c4890d3387f959c

SHA512
a31111aa5743da9887f3989874401cb03c7787b79d96982782926510001c28ccf90c3f866f9312a0964d9fd63b41ad7e3ba2f3b6f70521f41e055908bf905589

Download Submit
\Windows\rss\csrss.exe
Filesize
126KB

MD5
90370985614a81ceddf12a60da1d9e7e

SHA1
9b9df6026cb40ba398565d090d6031f4a1d04cbb

SHA256
bf0509e7ee135ae17b6d5bac4ae1927fc8df7c7d51054952bc286e8544398096

SHA512
6a9ebc9e9300042481c6a692da35450cacbcc45bfc61cb83ca6d39a708e274bda3defeb2abfa11dac83f3c8720dd6c0b0bfd07e307636537df6e0b83f07f5b1d

Download Submit
memory/564-279-0x00000000025F0000-0x00000000029E8000-memory.dmp

Filesize
4.0MB

Download
memory/564-299-0x00000000025F0000-0x00000000029E8000-memory.dmp

Filesize
4.0MB

Download
memory/564-298-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/780-23-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/780-22-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/780-18-0x0000000000840000-0x00000000008D4000-memory.dmp

Filesize
592KB

Download
memory/780-19-0x0000000074DA0000-0x000000007548E000-memory.dmp

Filesize
6.9MB

Download
memory/780-35-0x0000000074DA0000-0x000000007548E000-memory.dmp

Filesize
6.9MB

Download
memory/780-33-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1288-256-0x00000000025E0000-0x00000000025F6000-memory.dmp

Filesize
88KB

Download
memory/1288-1-0x0000000002AA0000-0x0000000002AB6000-memory.dmp

Filesize
88KB

Download
memory/1504-316-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1580-311-0x0000000002600000-0x00000000029F8000-memory.dmp

Filesize
4.0MB

Download
memory/1668-26-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1668-28-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1668-34-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1668-31-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1668-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1668-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1668-37-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1668-27-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1668-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2144-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2144-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2300-21-0x0000000000890000-0x0000000001B6E000-memory.dmp

Filesize
18.9MB

Download
memory/2300-20-0x0000000074DA0000-0x000000007548E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-96-0x0000000074DA0000-0x000000007548E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-82-0x00000000003A0000-0x00000000003A9000-memory.dmp

Filesize
36KB

Download
memory/2784-79-0x0000000000273000-0x000000000027C000-memory.dmp

Filesize
36KB

Download
memory/2796-277-0x0000000002700000-0x0000000002AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2796-278-0x0000000002B00000-0x00000000033EB000-memory.dmp

Filesize
8.9MB

Download
memory/2796-94-0x0000000002700000-0x0000000002AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2796-276-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2848-74-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2852-75-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2852-257-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2852-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3016-157-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/3016-129-0x0000000003D30000-0x0000000004958000-memory.dmp

Filesize
12.2MB

Download
memory/3016-118-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download