glupteba | 231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327

Analysis

max time kernel
1s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 02:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe
Size

4.1MB
MD5

b157e72b328d941ff95bcedb357e2b1b
SHA1

9697221387a51260eeb70fba1d17c271e443e716
SHA256

231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327
SHA512

3a3946398d8aaa499a12a5809648e509a708860a4ca2991e277123351034061e4fa2839743c91822143e105cf48f315e46347608dc1ebac060d2a9ba039bd21d
SSDEEP

49152:irtHaZL5Wjk2KurtcZtm0QlCmj+rYGWWB1XMO8YNtIyBSH302qqrJccUXAFAwijV:i5gLD3ycXi38WWB5tjCkyW4IRgc

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

resource	yara_rule
behavioral2/memory/3624-2-0x00000000052B0000-0x0000000005B9B000-memory.dmp	family_glupteba
behavioral2/memory/3624-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/1120-56-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/3624-58-0x00000000052B0000-0x0000000005B9B000-memory.dmp	family_glupteba
behavioral2/memory/3624-84-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/1120-187-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/3300-261-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba

Detects Windows executables referencing non-Windows User-Agents 5 IoCs

resource	yara_rule
behavioral2/memory/3624-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1120-56-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3624-84-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1120-187-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3300-261-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables Discord URL observed in first stage droppers 5 IoCs

resource	yara_rule
behavioral2/memory/3624-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/1120-56-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/3624-84-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/1120-187-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/3300-261-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables containing URLs to raw contents of a Github gist 5 IoCs

resource	yara_rule
behavioral2/memory/3624-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1120-56-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3624-84-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1120-187-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3300-261-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing artifacts associated with disabling Widnows Defender 5 IoCs

resource	yara_rule
behavioral2/memory/3624-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/1120-56-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/3624-84-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/1120-187-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/3300-261-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables referencing many varying, potentially fake Windows User-Agents 5 IoCs

resource	yara_rule
behavioral2/memory/3624-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/1120-56-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/3624-84-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/1120-187-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/3300-261-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3900	netsh.exe

Program crash 46 IoCs

pid	pid_target	Process	procid_target
576	3624	WerFault.exe	19
688	3624	WerFault.exe	19
4732	3624	WerFault.exe	19
3424	3624	WerFault.exe	19
504	3624	WerFault.exe	19
3900	3624	WerFault.exe	19
2724	3624	WerFault.exe	19
208	3624	WerFault.exe	19
4520	3624	WerFault.exe	19
2444	3624	WerFault.exe	19
1688	3624	WerFault.exe	19
4812	3624	WerFault.exe	19
3228	3624	WerFault.exe	19
3692	3624	WerFault.exe	19
4064	3624	WerFault.exe	19
3456	3624	WerFault.exe	19
2424	3624	WerFault.exe	19
4728	3624	WerFault.exe	19
4624	3624	WerFault.exe	19
3220	1120	WerFault.exe	129
4448	1120	WerFault.exe	129
3716	1120	WerFault.exe	129
2692	1120	WerFault.exe	129
2572	1120	WerFault.exe	129
2360	1120	WerFault.exe	129
4984	1120	WerFault.exe	129
4500	1120	WerFault.exe	129
3100	1120	WerFault.exe	129
3844	3300	WerFault.exe	159
1484	3300	WerFault.exe	159
3704	3300	WerFault.exe	159
2972	3300	WerFault.exe	159
1100	3300	WerFault.exe	159
3788	3300	WerFault.exe	159
2116	3300	WerFault.exe	159
1492	3300	WerFault.exe	159
4916	3300	WerFault.exe	159
3856	3300	WerFault.exe	159
2444	3300	WerFault.exe	159
4996	3300	WerFault.exe	159
4916	3300	WerFault.exe	159
4056	3300	WerFault.exe	159
5012	3300	WerFault.exe	159
3860	3300	WerFault.exe	159
3152	3300	WerFault.exe	159
4768	3300	WerFault.exe	159

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
856	schtasks.exe
1560	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe
"C:\Users\Admin\AppData\Local\Temp\231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe"
1⤵
PID:3624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 480
  2⤵
  - Program crash
  PID:576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 496
  2⤵
  - Program crash
  PID:688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 512
  2⤵
  - Program crash
  PID:4732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 620
  2⤵
  - Program crash
  PID:3424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 724
  2⤵
  - Program crash
  PID:504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 744
  2⤵
  - Program crash
  PID:3900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 744
  2⤵
  - Program crash
  PID:2724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 712
  2⤵
  - Program crash
  PID:208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 676
  2⤵
  - Program crash
  PID:4520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 768
  2⤵
  - Program crash
  PID:2444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 708
  2⤵
  - Program crash
  PID:1688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 876
  2⤵
  - Program crash
  PID:4812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 828
  2⤵
  - Program crash
  PID:3228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 620
  2⤵
  - Program crash
  PID:3692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 620
  2⤵
  - Program crash
  PID:4064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 884
  2⤵
  - Program crash
  PID:3456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 876
  2⤵
  - Program crash
  PID:2424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 864
  2⤵
  - Program crash
  PID:4728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  PID:4456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 880
  2⤵
  - Program crash
  PID:4624
- C:\Users\Admin\AppData\Local\Temp\231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe
  "C:\Users\Admin\AppData\Local\Temp\231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe"
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 452
    3⤵
    - Program crash
    PID:3220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 468
    3⤵
    - Program crash
    PID:4448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 696
    3⤵
    - Program crash
    PID:3716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 696
    3⤵
    - Program crash
    PID:2692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 652
    3⤵
    - Program crash
    PID:2572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 696
    3⤵
    - Program crash
    PID:2360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 724
    3⤵
    - Program crash
    PID:4984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 472
    3⤵
    - Program crash
    PID:4500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 744
    3⤵
    - Program crash
    PID:3100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1740
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:240
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:4628
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:3300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 480
      4⤵
      Program crash
      PID:3844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 496
      4⤵
      Program crash
      PID:1484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 504
      4⤵
      Program crash
      PID:3704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 672
      4⤵
      Program crash
      PID:2972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 672
      4⤵
      Program crash
      PID:1100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 740
      4⤵
      Program crash
      PID:3788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 756
      4⤵
      Program crash
      PID:2116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 784
      4⤵
      Program crash
      PID:1492
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 728
      4⤵
      Program crash
      PID:4916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 936
      4⤵
      Program crash
      PID:3856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 912
      4⤵
      Program crash
      PID:2444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 892
      4⤵
      Program crash
      PID:4996
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4632
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 844
      4⤵
      Program crash
      PID:4916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 992
      4⤵
      Program crash
      PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 732
      4⤵
      Program crash
      PID:5012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 732
      4⤵
      Program crash
      PID:3860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 972
      4⤵
      Program crash
      PID:3152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 616
      4⤵
      Program crash
      PID:4768
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3624 -ip 3624
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3624 -ip 3624
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3624 -ip 3624
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3624 -ip 3624
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3624 -ip 3624
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3624 -ip 3624
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3624 -ip 3624
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3624 -ip 3624
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3624 -ip 3624
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3624 -ip 3624
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3624 -ip 3624
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3624 -ip 3624
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3624 -ip 3624
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3624 -ip 3624
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3624 -ip 3624
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3624 -ip 3624
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3624 -ip 3624
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3624 -ip 3624
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3624 -ip 3624
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1120 -ip 1120
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1120 -ip 1120
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1120 -ip 1120
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1120 -ip 1120
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1120 -ip 1120
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1120 -ip 1120
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1120 -ip 1120
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1120 -ip 1120
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1120 -ip 1120
1⤵
PID:404

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3300 -ip 3300
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3300 -ip 3300
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3300 -ip 3300
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3300 -ip 3300
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3300 -ip 3300
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3300 -ip 3300
1⤵
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3300 -ip 3300
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3300 -ip 3300
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3300 -ip 3300
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3300 -ip 3300
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3300 -ip 3300
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3300 -ip 3300
1⤵
PID:492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3300 -ip 3300
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3300 -ip 3300
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3300 -ip 3300
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3300 -ip 3300
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3300 -ip 3300
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3300 -ip 3300
1⤵
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w3twmgsg.whc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
14KB

MD5
5a319ecd18f78b8e1bc8a1abb7f73bc0

SHA1
afa8ec6fba6d0c8ba6c23873ec7ab8dd1e1d8a9f

SHA256
982008511c6acbf5a50652673ba4e8d99e5435c7be8ce4ac8beb5356df85f800

SHA512
47e38f22bbfbecbf71a95c44b27c5d0a806e95b449aa5622b6d8ad5c4f5064b0cee647f5b8ca0ebdb5fd7384aed44a9fb3939ca9995f1ad7e6d0aae138b02ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
18KB

MD5
3dd84d481040011558a5f1fef8720f02

SHA1
3151d308fd466c3a4ada6930f6fe377bee749e22

SHA256
5d5325c2ea88f7922b86c37b87eaba088f4ed3a6aa93ce7dce9c2115b5703ee5

SHA512
9e6e39aea5a5d9a9c3ce58549cc1df1facaa437f157d06d33fe1f110b66a595f6ae9a14a98e611f9354a75238da2637c7891671d7355dbf624f351bf5381fdfa

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7364bdf8975f54bf9ab5874f74978f17

SHA1
07c59f270277ddd34403f2779fba2dac8f9bdaf9

SHA256
c77f30dc6c02e84399138d22b13f2ddcb457dcfe8f04073f8e163f1c33cdaa74

SHA512
14a55b77ae4a9f621686dd10bd5be9033a1d8fa1703c444c735a378cb31eb25f917eab9d7a8ec0af8602c44b3289d13e3bfd37d500334ff9c2f83d95ad437d00

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
239f2a723a90c2f86153ff92745cce3c

SHA1
eed61b154b8c43d545cec9bdaf2c98a008f19af9

SHA256
eb64bfdec253ff9901a7be2df0a4043e6cfee6c9e6cbcf5cbc8af892123a7478

SHA512
672d5f0b225b39f11640b13f933d9c5ad64560a84b137957d444bc08212ec254587b13a26dcd5035cc272a8ee9e3722b306941b835e09379f044a23f9060ad7c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
a048fb430e3f6aa6802123d5475adb75

SHA1
4f76c99cd25baa1ddbaccd0b7f96e644abc4690b

SHA256
5878be1e6ba6c2411ea076204f0f90c50ab744ae5b61a20a3ee694a1b530be66

SHA512
16837f74c502a83fd9025b2300acf015209af32a204c039691d2061c776005b4b9969d61987c912249f12b34eef0b8b070268651683acc2ffaeae06f98ce5db7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
394b0b7b7f693d927f46a0e454da90a9

SHA1
b34f72e66608c3b19fc4aa1488ce22ac4b92dc08

SHA256
8ac069261663d679d802b8adce5d5d2d451de2411bf6e7b296ea2777f442f27f

SHA512
bfab0d2c3cc489979c5bb903b825e3c111daa91fe2a376236a3a45705a6af4cabaf143f0c1ea2ffa02b8e0cfda204bcdedfee6720711be4525561ea65f5524a2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
06e55c207ad31abc5bb7c84b423e84d5

SHA1
eeb60bb2dfec2dc754e2f908acbbc1b1bb3a6ce3

SHA256
bb1e05dd6b1dcef2f59fc40bb985f8df0c023df6bc25fc0a7b8ca32027b53427

SHA512
6f90dd6a2df7cbff70cbfd3f244b6abb3873e66f52bcf8ae8e3302c697b9fe061700dcffe46ab9fda970a16ab6e458cdbbdaeedb384ce7a0799f288603f873b4

Download Submit
C:\Windows\rss\csrss.exe

Filesize
415KB

MD5
a859cc305cf79e56691b91f64b694cc6

SHA1
f3797a1a1f8580f8a44ee3a9f2434c136c3d079d

SHA256
cfb97e54550a185f245b42a2e3a439d700404b926049be8632ece9e6293a54b3

SHA512
4bbc8a458901c8cc08836bcb888a53774aa0aaf7a6647cc788cc5215a8aca07b5bdcec22aabe187b0e29e78bc2f0a3479dd60641ed0cdd30349ec731c6f1356d

Download Submit
C:\Windows\rss\csrss.exe

Filesize
272KB

MD5
46aa02cf067633575bd0fad6c70b9c36

SHA1
3336f556f738603f8d1862aa5af5ef2abacaabd7

SHA256
e81bee701dc01348b4ad2d8f340d10a822eef0c74dd10c3b9640a58ec8f7bf9a

SHA512
c9351ac9fc688a3d84a27d8e83e6d40a88dfba39dffeeb343a93cab35c21b1310bbe39c676a055f5d3017e24939be849f2de93b399f333763486c38f684b6714

Download Submit
memory/240-108-0x0000000070EE0000-0x0000000071234000-memory.dmp

Filesize
3.3MB

Download
memory/240-120-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/240-106-0x000000007FCE0000-0x000000007FCF0000-memory.dmp

Filesize
64KB

Download
memory/240-107-0x0000000070760000-0x00000000707AC000-memory.dmp

Filesize
304KB

Download
memory/240-122-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/240-93-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/240-94-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/240-95-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/1120-119-0x0000000004E00000-0x0000000005208000-memory.dmp

Filesize
4.0MB

Download
memory/1120-55-0x0000000004E00000-0x0000000005208000-memory.dmp

Filesize
4.0MB

Download
memory/1120-187-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1120-56-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1740-67-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/1740-66-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/1740-91-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1740-88-0x0000000007930000-0x0000000007944000-memory.dmp

Filesize
80KB

Download
memory/1740-87-0x00000000078E0000-0x00000000078F1000-memory.dmp

Filesize
68KB

Download
memory/1740-86-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/1740-85-0x000000007FD90000-0x000000007FDA0000-memory.dmp

Filesize
64KB

Download
memory/1740-73-0x0000000070EE0000-0x0000000071234000-memory.dmp

Filesize
3.3MB

Download
memory/1740-83-0x00000000075E0000-0x0000000007683000-memory.dmp

Filesize
652KB

Download
memory/1740-72-0x0000000070760000-0x00000000707AC000-memory.dmp

Filesize
304KB

Download
memory/1740-64-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1740-65-0x0000000005DD0000-0x0000000006124000-memory.dmp

Filesize
3.3MB

Download
memory/3300-261-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/3624-57-0x0000000004EA0000-0x00000000052A4000-memory.dmp

Filesize
4.0MB

Download
memory/3624-84-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/3624-2-0x00000000052B0000-0x0000000005B9B000-memory.dmp

Filesize
8.9MB

Download
memory/3624-1-0x0000000004EA0000-0x00000000052A4000-memory.dmp

Filesize
4.0MB

Download
memory/3624-3-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/3624-58-0x00000000052B0000-0x0000000005B9B000-memory.dmp

Filesize
8.9MB

Download
memory/4456-24-0x0000000006080000-0x00000000060C4000-memory.dmp

Filesize
272KB

Download
memory/4456-22-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

Filesize
120KB

Download
memory/4456-49-0x00000000073B0000-0x00000000073CA000-memory.dmp

Filesize
104KB

Download
memory/4456-53-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4456-47-0x00000000072B0000-0x00000000072BE000-memory.dmp

Filesize
56KB

Download
memory/4456-48-0x00000000072C0000-0x00000000072D4000-memory.dmp

Filesize
80KB

Download
memory/4456-46-0x0000000007270000-0x0000000007281000-memory.dmp

Filesize
68KB

Download
memory/4456-28-0x000000007F5F0000-0x000000007F600000-memory.dmp

Filesize
64KB

Download
memory/4456-29-0x0000000007100000-0x0000000007132000-memory.dmp

Filesize
200KB

Download
memory/4456-42-0x0000000007160000-0x0000000007203000-memory.dmp

Filesize
652KB

Download
memory/4456-43-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/4456-30-0x0000000070760000-0x00000000707AC000-memory.dmp

Filesize
304KB

Download
memory/4456-26-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/4456-27-0x0000000006F50000-0x0000000006F6A000-memory.dmp

Filesize
104KB

Download
memory/4456-25-0x0000000006EB0000-0x0000000006F26000-memory.dmp

Filesize
472KB

Download
memory/4456-44-0x0000000007250000-0x000000000725A000-memory.dmp

Filesize
40KB

Download
memory/4456-23-0x0000000006140000-0x000000000618C000-memory.dmp

Filesize
304KB

Download
memory/4456-50-0x00000000072F0000-0x00000000072F8000-memory.dmp

Filesize
32KB

Download
memory/4456-21-0x0000000005550000-0x00000000058A4000-memory.dmp

Filesize
3.3MB

Download
memory/4456-9-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

Filesize
136KB

Download
memory/4456-45-0x0000000007310000-0x00000000073A6000-memory.dmp

Filesize
600KB

Download
memory/4456-31-0x0000000070900000-0x0000000070C54000-memory.dmp

Filesize
3.3MB

Download
memory/4456-41-0x0000000007140000-0x000000000715E000-memory.dmp

Filesize
120KB

Download
memory/4456-4-0x00000000045A0000-0x00000000045D6000-memory.dmp

Filesize
216KB

Download
memory/4456-10-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/4456-6-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/4456-11-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/4456-5-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4456-8-0x0000000004D10000-0x0000000005338000-memory.dmp

Filesize
6.2MB

Download
memory/4456-7-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/4628-137-0x000000007EE20000-0x000000007EE30000-memory.dmp

Filesize
64KB

Download
memory/4628-134-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4628-135-0x0000000005D40000-0x0000000006094000-memory.dmp

Filesize
3.3MB

Download
memory/4628-123-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4628-124-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads