glupteba | 1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922

Resubmissions

07-02-2024 08:00

240207-jv525aegg3 10

07-02-2024 07:42

240207-jjsmnaega6 10

Analysis

max time kernel
51s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe
Size

5.5MB
MD5

c4580e8db0c3dbc88891842fd8a31158
SHA1

744f03fcf10db1459d3f40beaea2bfe1b000582b
SHA256

1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922
SHA512

cefd412e0d5aba56d6603fdc46a056474ce387dbb220b32a9317dca0822bef9320515afacc2ab2086db46f9e01b3456c87a0dc83bd99c246550d87efd3606945
SSDEEP

98304:Fs9EI6sZJrf04Hr3VvPkrcRizJ6krK4JLQaEHlXU+vG9G1jMaZQRrkp:W+I6sU4HjZkwkVJo1+G1jMaZQpk

Score

10^/10

glupteba smokeloader pub1 backdoor dropper evasion loader persistence trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

resource	yara_rule
behavioral2/memory/1656-56-0x0000000002E20000-0x000000000370B000-memory.dmp	family_glupteba
behavioral2/memory/1656-57-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1656-82-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1656-116-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1656-118-0x0000000002E20000-0x000000000370B000-memory.dmp	family_glupteba
behavioral2/memory/4872-121-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4872-159-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4872-174-0x0000000002A70000-0x0000000002E71000-memory.dmp	family_glupteba
behavioral2/memory/4872-224-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3228-255-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4236	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe

Executes dropped EXE 6 IoCs

pid	Process
1980	InstallSetup_nine.exe
1656	d21cbe21e38b385a41a68c5e6dd32f4c.exe
4256	rty25.exe
460	toolspub1.exe
4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe
3228	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\rss\csrss.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
460	toolspub1.exe
460	toolspub1.exe
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
2852	powershell.exe
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
2852	powershell.exe
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
460	toolspub1.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeDebugPrivilege	1656	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeImpersonatePrivilege	1656	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeDebugPrivilege	2880	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 1980	4932	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	84
PID 4932 wrote to memory of 1980	4932	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	84
PID 4932 wrote to memory of 1980	4932	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	84
PID 4932 wrote to memory of 1656	4932	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	85
PID 4932 wrote to memory of 1656	4932	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	85
PID 4932 wrote to memory of 1656	4932	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	85
PID 4932 wrote to memory of 4256	4932	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	86
PID 4932 wrote to memory of 4256	4932	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	86
PID 4932 wrote to memory of 460	4932	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	87
PID 4932 wrote to memory of 460	4932	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	87
PID 4932 wrote to memory of 460	4932	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	87
PID 1656 wrote to memory of 2852	1656	d21cbe21e38b385a41a68c5e6dd32f4c.exe	89
PID 1656 wrote to memory of 2852	1656	d21cbe21e38b385a41a68c5e6dd32f4c.exe	89
PID 1656 wrote to memory of 2852	1656	d21cbe21e38b385a41a68c5e6dd32f4c.exe	89
PID 4872 wrote to memory of 1064	4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe	95
PID 4872 wrote to memory of 1064	4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe	95
PID 4872 wrote to memory of 1064	4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe	95
PID 4872 wrote to memory of 4492	4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe	97
PID 4872 wrote to memory of 4492	4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe	97
PID 4492 wrote to memory of 4236	4492	cmd.exe	99
PID 4492 wrote to memory of 4236	4492	cmd.exe	99
PID 4872 wrote to memory of 1528	4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe	100
PID 4872 wrote to memory of 1528	4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe	100
PID 4872 wrote to memory of 1528	4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe	100
PID 4872 wrote to memory of 3012	4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe	102
PID 4872 wrote to memory of 3012	4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe	102
PID 4872 wrote to memory of 3012	4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe	102
PID 4872 wrote to memory of 3228	4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe	104
PID 4872 wrote to memory of 3228	4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe	104
PID 4872 wrote to memory of 3228	4872	d21cbe21e38b385a41a68c5e6dd32f4c.exe	104
PID 3228 wrote to memory of 2880	3228	csrss.exe	106
PID 3228 wrote to memory of 2880	3228	csrss.exe	106
PID 3228 wrote to memory of 2880	3228	csrss.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe
"C:\Users\Admin\AppData\Local\Temp\1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
  "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:1064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:4236
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:1528
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:3012
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3228
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
- C:\Users\Admin\AppData\Local\Temp\rty25.exe
  "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

Filesize
419KB

MD5
654abe1db0f972272b5b012914d9e5d6

SHA1
1ac7b42167369dcfa528837f13a2c80de7bcc161

SHA256
5f2bdf7f83ab075f7dafaf7493cbf4ab08d2e79b95cd3382621acfe73ba96094

SHA512
18823ab8a9a160ac169052ec210e6adb356190dc0644c8b5fd6f5ccbc8de2666c5e9d44ef90c954d5b6e948c81ef2666900c0fe40b7d5e4b644a39e8b93c1a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3z11bv2.mnr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
3.8MB

MD5
e9570dc56aef05a0f231e4ff3fb8b95a

SHA1
e4cee4253fc3cd292dfe4ab7ea7008933309307e

SHA256
061e7c6f8b58fc8a5a5d31870d3e2634dc06055b4802eac664afc0e8b90cb883

SHA512
5a7bb6612fdb4aeb824ba736e5f460a6b352778396b1c137c2798b213f94a1b19de743dc27e943d60e9f9eb41e9117e961f200db8741c417150887ab362ac68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
64KB

MD5
2823c442890c8c753975dd583ef3a2b5

SHA1
64c3010426aa1389fc8d1286833ecf421f59f524

SHA256
2993e0f534b2b44b41a68a0aa7302a919a153a343c3d143e837b45dfae965922

SHA512
7d704e5326da5228397413fdbfeda7132aa21433ec4f09b3e809cb1829b9d0238d681b8fae182af1e8e4725a6d77bb7496c38de7fa62d79706115f44502cb035

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
4.2MB

MD5
66560a15081c9dee9fed498d5f0a25a9

SHA1
fbd7626525777262423fb9beea1e5b7e50fda2b5

SHA256
11e2cfb1fb58a3f69826d5bc36e88fde44c53def20891739ea7054eaabf24551

SHA512
dbd84583c6248db88452ef12074aa668ee982a9fe18484611a1b6d67a7233f9f3fca466bc843dfbc227099a5fd67af24c98f2d5408b26f8cf9fd635f7c70ba07

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe

Filesize
715KB

MD5
8dc1f88ae1fcedeb3983c5f5c3d486b0

SHA1
d40e67ba5558d90cb11eeca04d213322159336fc

SHA256
4a15d91920a4da9a64935248c126fb60e8302198df8e5759da8129ac1841beca

SHA512
0b2263fe049e280af1178fd396a06a04e6b99f7c971839207ae225161257ed9d9b7eaa8d0ceb1f14d3aa2094b53ce91dd045ebc169102e707ea7285f91432ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

Filesize
238KB

MD5
8c20d9745afb54a1b59131314c15d61c

SHA1
1975f997e2db1e487c1caf570263a6a3ba135958

SHA256
a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1

SHA512
580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
440c22f2f7d79864b4f74598b2458f2a

SHA1
66b858f49698d6fee5b62b0caa1045e62a5ae9ee

SHA256
4aa3b70948cff7267ba1f613a8bb4c3efda4b74c0954ec39e71ca9c11b653094

SHA512
2017299de581232e5f3d1aaea896e53e1b6f866b741f1334cd4a8d1de2f276a75a85fc765b520fd28e287c78bf4c08739e44dbc617589ef592d5e92a71667826

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
20c9d558b062230d00c0f967b7bba70f

SHA1
b9abc96a412be180d49c5ac4907a27186ce7b45d

SHA256
f0bfa2d5756b1224bbdf92a7cfe18e2e53e4553b784b0d4d858bb0a0f190ef2b

SHA512
9a041a822080dbf7618a00860a43c2604a7aae3f085f07536e25667c1e6f305d8d4b5f911c3a202ac31de39642886704aa9d6a0d9600d26810b4b79e13395bfe

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7cc4027dccfd57b081923ee50598f6e0

SHA1
e8cd3e5208e3c5388a91cdb2502f0e89cb872611

SHA256
8031bceade7ddc5ecdf349c5db70bbf4a48303a849914d972ec5baf2581cd98a

SHA512
4f2326cc0914c405562c2036f745bc656b5ab3c070b49f0b7e61dd0450143d1ea10c75f6feddd6767f801eeefc331ed301e33dd27c788e6f3fa0fb8e12530e61

Download Submit
memory/460-53-0x00000000005D0000-0x00000000005DB000-memory.dmp

Filesize
44KB

Download
memory/460-63-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/460-52-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/460-54-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1064-138-0x0000000070CF0000-0x0000000071044000-memory.dmp

Filesize
3.3MB

Download
memory/1064-135-0x0000000002C50000-0x0000000002C60000-memory.dmp

Filesize
64KB

Download
memory/1064-137-0x0000000070B40000-0x0000000070B8C000-memory.dmp

Filesize
304KB

Download
memory/1064-129-0x0000000005C00000-0x0000000005F54000-memory.dmp

Filesize
3.3MB

Download
memory/1064-123-0x0000000002C50000-0x0000000002C60000-memory.dmp

Filesize
64KB

Download
memory/1064-136-0x000000007F710000-0x000000007F720000-memory.dmp

Filesize
64KB

Download
memory/1064-148-0x0000000007470000-0x0000000007513000-memory.dmp

Filesize
652KB

Download
memory/1064-149-0x0000000007780000-0x0000000007791000-memory.dmp

Filesize
68KB

Download
memory/1064-134-0x00000000062E0000-0x000000000632C000-memory.dmp

Filesize
304KB

Download
memory/1064-153-0x00000000077D0000-0x00000000077E4000-memory.dmp

Filesize
80KB

Download
memory/1064-122-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1064-156-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1528-160-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1528-161-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1528-162-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1528-173-0x0000000005D90000-0x00000000060E4000-memory.dmp

Filesize
3.3MB

Download
memory/1656-118-0x0000000002E20000-0x000000000370B000-memory.dmp

Filesize
8.9MB

Download
memory/1656-107-0x0000000002A10000-0x0000000002E11000-memory.dmp

Filesize
4.0MB

Download
memory/1656-82-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1656-116-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1656-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1656-56-0x0000000002E20000-0x000000000370B000-memory.dmp

Filesize
8.9MB

Download
memory/1656-55-0x0000000002A10000-0x0000000002E11000-memory.dmp

Filesize
4.0MB

Download
memory/1980-83-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-50-0x0000000002140000-0x00000000021A7000-memory.dmp

Filesize
412KB

Download
memory/1980-49-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-51-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1980-158-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1980-253-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2852-61-0x00000000056F0000-0x0000000005D18000-memory.dmp

Filesize
6.2MB

Download
memory/2852-86-0x00000000078C0000-0x0000000007936000-memory.dmp

Filesize
472KB

Download
memory/2852-106-0x0000000007C70000-0x0000000007C81000-memory.dmp

Filesize
68KB

Download
memory/2852-104-0x0000000007C50000-0x0000000007C5A000-memory.dmp

Filesize
40KB

Download
memory/2852-108-0x0000000007CB0000-0x0000000007CBE000-memory.dmp

Filesize
56KB

Download
memory/2852-109-0x0000000007CC0000-0x0000000007CD4000-memory.dmp

Filesize
80KB

Download
memory/2852-110-0x0000000007DB0000-0x0000000007DCA000-memory.dmp

Filesize
104KB

Download
memory/2852-111-0x0000000007D00000-0x0000000007D08000-memory.dmp

Filesize
32KB

Download
memory/2852-114-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/2852-103-0x0000000007B60000-0x0000000007C03000-memory.dmp

Filesize
652KB

Download
memory/2852-102-0x0000000007B00000-0x0000000007B1E000-memory.dmp

Filesize
120KB

Download
memory/2852-92-0x0000000070C80000-0x0000000070FD4000-memory.dmp

Filesize
3.3MB

Download
memory/2852-58-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/2852-59-0x0000000004F20000-0x0000000004F56000-memory.dmp

Filesize
216KB

Download
memory/2852-91-0x0000000070AE0000-0x0000000070B2C000-memory.dmp

Filesize
304KB

Download
memory/2852-90-0x0000000007B20000-0x0000000007B52000-memory.dmp

Filesize
200KB

Download
memory/2852-89-0x000000007FC90000-0x000000007FCA0000-memory.dmp

Filesize
64KB

Download
memory/2852-88-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/2852-87-0x0000000007FC0000-0x000000000863A000-memory.dmp

Filesize
6.5MB

Download
memory/2852-105-0x0000000007D10000-0x0000000007DA6000-memory.dmp

Filesize
600KB

Download
memory/2852-85-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2852-84-0x0000000006BA0000-0x0000000006BE4000-memory.dmp

Filesize
272KB

Download
memory/2852-80-0x00000000065F0000-0x000000000663C000-memory.dmp

Filesize
304KB

Download
memory/2852-79-0x00000000065A0000-0x00000000065BE000-memory.dmp

Filesize
120KB

Download
memory/2852-78-0x0000000005F20000-0x0000000006274000-memory.dmp

Filesize
3.3MB

Download
memory/2852-68-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/2852-67-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/2852-66-0x0000000005630000-0x0000000005652000-memory.dmp

Filesize
136KB

Download
memory/2852-60-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/3228-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3380-62-0x0000000002B00000-0x0000000002B16000-memory.dmp

Filesize
88KB

Download
memory/4256-34-0x00007FF64EBB0000-0x00007FF64EC67000-memory.dmp

Filesize
732KB

Download
memory/4872-159-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4872-121-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4872-120-0x0000000002A70000-0x0000000002E71000-memory.dmp

Filesize
4.0MB

Download
memory/4872-174-0x0000000002A70000-0x0000000002E71000-memory.dmp

Filesize
4.0MB

Download
memory/4872-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4932-0-0x0000000075240000-0x00000000759F0000-memory.dmp

Filesize
7.7MB

Download
memory/4932-48-0x0000000075240000-0x00000000759F0000-memory.dmp

Filesize
7.7MB

Download
memory/4932-1-0x0000000000E40000-0x00000000013D0000-memory.dmp

Filesize
5.6MB

Download