glupteba | 231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327

Analysis

max time kernel
1s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe
Size

4.1MB
MD5

b157e72b328d941ff95bcedb357e2b1b
SHA1

9697221387a51260eeb70fba1d17c271e443e716
SHA256

231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327
SHA512

3a3946398d8aaa499a12a5809648e509a708860a4ca2991e277123351034061e4fa2839743c91822143e105cf48f315e46347608dc1ebac060d2a9ba039bd21d
SSDEEP

49152:irtHaZL5Wjk2KurtcZtm0QlCmj+rYGWWB1XMO8YNtIyBSH302qqrJccUXAFAwijV:i5gLD3ycXi38WWB5tjCkyW4IRgc

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 18 IoCs

resource	yara_rule
behavioral1/memory/1724-2-0x0000000004DD0000-0x00000000056BB000-memory.dmp	family_glupteba
behavioral1/memory/1724-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/1724-4-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/1724-8-0x0000000004DD0000-0x00000000056BB000-memory.dmp	family_glupteba
behavioral1/memory/2780-9-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/2780-18-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/1892-23-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/1892-111-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/1892-116-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/1892-130-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/1892-146-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/1892-155-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/1892-157-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/1892-163-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/1892-165-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/1892-167-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/1892-169-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral1/memory/1892-171-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba

Detects Windows executables referencing non-Windows User-Agents 16 IoCs

resource	yara_rule
behavioral1/memory/1724-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1724-4-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2780-9-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2780-18-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1892-23-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1892-111-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1892-116-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1892-130-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1892-146-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1892-155-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1892-157-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1892-163-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1892-165-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1892-167-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1892-169-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1892-171-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables Discord URL observed in first stage droppers 16 IoCs

resource	yara_rule
behavioral1/memory/1724-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1724-4-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2780-9-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2780-18-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1892-23-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1892-111-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1892-116-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1892-130-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1892-146-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1892-155-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1892-157-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1892-163-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1892-165-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1892-167-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1892-169-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1892-171-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables containing URLs to raw contents of a Github gist 16 IoCs

resource	yara_rule
behavioral1/memory/1724-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1724-4-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2780-9-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2780-18-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1892-23-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1892-111-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1892-116-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1892-130-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1892-146-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1892-155-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1892-157-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1892-163-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1892-165-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1892-167-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1892-169-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1892-171-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing artifacts associated with disabling Widnows Defender 16 IoCs

resource	yara_rule
behavioral1/memory/1724-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1724-4-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2780-9-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2780-18-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1892-23-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1892-111-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1892-116-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1892-130-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1892-146-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1892-155-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1892-157-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1892-163-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1892-165-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1892-167-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1892-169-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1892-171-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables referencing many varying, potentially fake Windows User-Agents 16 IoCs

resource	yara_rule
behavioral1/memory/1724-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1724-4-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2780-9-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2780-18-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1892-23-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1892-111-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1892-116-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1892-130-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1892-146-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1892-155-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1892-157-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1892-163-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1892-165-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1892-167-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1892-169-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1892-171-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
1088	bcdedit.exe
2260	bcdedit.exe
2452	bcdedit.exe
980	bcdedit.exe
2252	bcdedit.exe
1604	bcdedit.exe
2188	bcdedit.exe
2220	bcdedit.exe
1880	bcdedit.exe
2284	bcdedit.exe
836	bcdedit.exe
2212	bcdedit.exe
608	bcdedit.exe
2348	bcdedit.exe

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/files/0x0004000000004ed7-149.dat	UPX
behavioral1/memory/1544-150-0x0000000000400000-0x00000000008DF000-memory.dmp	UPX
behavioral1/files/0x0004000000004ed7-151.dat	UPX
behavioral1/files/0x0004000000004ed7-152.dat	UPX
behavioral1/memory/2900-153-0x0000000000400000-0x00000000008DF000-memory.dmp	UPX

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2604	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0004000000004ed7-149.dat	upx
behavioral1/memory/1544-150-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-151.dat	upx
behavioral1/files/0x0004000000004ed7-152.dat	upx
behavioral1/memory/1544-154-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2900-153-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2900-156-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2900-160-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1288	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2788	schtasks.exe
2720	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe
"C:\Users\Admin\AppData\Local\Temp\231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe"
1⤵
PID:1724
- C:\Users\Admin\AppData\Local\Temp\231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe
  "C:\Users\Admin\AppData\Local\Temp\231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe"
  2⤵
  PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2848
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2604
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:1892
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2788
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      PID:1620
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1088
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2260
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2452
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:980
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2252
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1604
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2188
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2220
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2284
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:836
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2212
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:608
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:1684
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      PID:2396
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2720
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:1544
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:856
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:1288

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240213022530.log C:\Windows\Logs\CBS\CbsPersist_20240213022530.cab
1⤵
PID:2028

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab66D0.tmp

Filesize
7KB

MD5
5da20b844c34cda2b83a71b13db09cc4

SHA1
69e6d745c078011b171356b1257806a6e6bd1cfe

SHA256
6556af10ea7818bee690b6e39844a2ddc3a42bff4cf27434584de666ef7e459b

SHA512
f2686a91185d8500ee47df031a996e8143d3fd994283c9792e5992870e5cf67003dafdfd74694ac9f358b1e843fc93d34a559c6ba226ac4744f628f3115b4415

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
163KB

MD5
e2a3c3d975679430e2f489a60ba9ad0b

SHA1
80242fee92328f36da4cc910eb329b02e252f2e8

SHA256
33abafabf4725342db073f0f613629c5e5bcff44d340f3217092b123a7ac51c5

SHA512
116dcc45464f37f3eb2b81b853a5d6a66bdeaa0eed17bcf270c8407079bced9dcc3b760c36591378914d73bdf29b0ab04f6b20cfbeb849b925087276680f4a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
199KB

MD5
6e71beff3749f4abb306562e3578f30e

SHA1
8941fceed2c92aa41ef4808f1e43ed695f86c5d0

SHA256
43e456a893192b5fb2b19ec0a5a5bdbaba2d7d3841ac72055eb9982edd7c3a3d

SHA512
6afe37f1b36fdfafb7240ac61d072111fd4043a915505fbb9210e50469cfced83e0c72f34940e29027db59531ca5b0ed100df4374bd7963c08bebcbcf82faf83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar680B.tmp

Filesize
123KB

MD5
dd4e71bd8ca272bf9e0d0cd93d4eee2f

SHA1
8f3109e17c488bfa29ea390f50c2319235f1861a

SHA256
ebdca431bf1b8d1d87e33aabb7db1c93a1bb501404a79004803a56f4fc9c77e1

SHA512
d75dd643136abae0bae86f97cc24435e749149d792e10de18929f765018dee7128cb91392ea7418351dab3561b31386c892ef9e0b1074eff321af3644ce98f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
154KB

MD5
8d4140b24b777988155caff541e31b55

SHA1
5b95c0be7c4663a1115eb688a1741c89e205bf33

SHA256
74c7f0fd3c6a48ff5b0e18dbc19dde523a540de77e3a1d5bd4448e05f926f79b

SHA512
8fe74ff56ecafd47aee98ed16e6add88b083f5201b9a5e8b3691a5ec69e5628b71ea63a392608fdf1983e846f0e4ca4d507c3d76352bc511991c524041677762

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
636KB

MD5
55b89f4ba64be3e42d45e8811669eae4

SHA1
8c7857a71ae9428faba1fd4b0e7e5e59ddefe306

SHA256
298c97d073fdf1073487b3e31b03729e2eed2a008e79871aa4482006e293cc1a

SHA512
f57bec7a39edaa40821f2c1ceea8e7419d05b0a11f5c1ad05f578911cffcf3ffa1888d81e53aebfac7e38f08a30b03b47f7215f939d76b7af552b883c2b0e5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
351KB

MD5
0f071f3469957f787378ef794e6d0d2f

SHA1
05050b118404d74d9bce144b9ced443a132a3333

SHA256
30e27833d2b8fc9e87c6ccf0cc2ad1643a6d0ec64eaff0d7597b1be0632ad749

SHA512
9f60d88cdb4b4e42321d584e72c78fb7d2740b6109ecfdae54d2e1deb3814ae6d821b5d355e433743514aec25b4c8f1d5e839aaa4212ec1b9c964a35c5485b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
71KB

MD5
ace8bba2aaefb918fb853ddbc193f0a8

SHA1
2d24580ecd45240bfe3f466f7c59fa6edef372f6

SHA256
487a1b5e238b3e3ee75f62d407eceeb54730ff9304a509a6281803572c371031

SHA512
8f6bfdf488582f48a4edee750a44c91f49b1bf0ebd944344d943656a2193396ea1b9e9866cd7681216464fc3c2aa4e9275795a3e67ae54c57d6d457eb1c25036

Download Submit
C:\Windows\rss\csrss.exe

Filesize
878KB

MD5
c204b99f493b44662e40e8e7e7f0cb95

SHA1
edf984160c3c71bc746b4e6a31ef9b34bc9e24a5

SHA256
26453cea6705807fa8420d6634f56b17a7cb2158b182bb03fe1685b414ddb649

SHA512
049b11d306845990461fd4dd9ea62d698af1ead4fe073c28d8378461dda5b4baf5a40d84f535665453cc35f0b35e3015576cffaef4c5e57131295d3651a458d1

Download Submit
C:\Windows\rss\csrss.exe

Filesize
412KB

MD5
e8578a0c069bb217fbb80961bab8d993

SHA1
ad61178a6f1559b2a4bb58d8c3d3f52545d5d93a

SHA256
2c95ec92a5be4c013421dc9e63acfb2ae0093bf555b19aa2f318b6790914d6a9

SHA512
6e333c17de68b871cd6969aedc1424aba73082bb5d6d92cdabc96d8bfd4ca4a074f0a79197e15206059077b9c056f0da50729e473c21131d09ba4dbb2d254198

Download Submit
C:\Windows\rss\csrss.exe

Filesize
493KB

MD5
61d17fb9b0c99b636acd2413a363aa86

SHA1
ca9c5162afb0032a2aaa4dd6a6fbfe1395465bc7

SHA256
0f993a8e6e4d41bbe2135c00ebbe09c3d406a9938aef1f2c60f099ceea73b143

SHA512
d38006d739c0bba4af931e04fead84a07c000c12f789f099f095a65299050f01469ecb8b318a1bfa4e20149a905ac2d5d0eb7d0ac50be3eb2ae1bd17065a1ac0

Download Submit
C:\Windows\windefender.exe

Filesize
12KB

MD5
ba5496a6d237ed5e7b7e7efb8914728c

SHA1
c84ac4dd1d50f1988ba3f7feed0ee07a7250f6e0

SHA256
31d130b91449583bbb5be307db476d9657011a07fe990c1f1fd721452543c501

SHA512
acd0dfe034824e789cc7473eddbb4cf5fd8c41cceea7cd32b286514bb3ab24d755bc70dcd66f15f110efde8ab7e845a7744b76622828bd5d991374bb21c8682a

Download Submit
C:\Windows\windefender.exe

Filesize
28KB

MD5
4cdff3059c122712b294cf6f9ef3f735

SHA1
89caeba071014c55722f2dba5cc7ff4771e8e563

SHA256
dca20f1805388eace9d3b834e08007b29b71ed100e332dc343f776e8b44ee848

SHA512
a44b5b724345bb1c8d966277c4d1e90f43d0ed2ad43dc671d2db582d7e07cbf4b4e5f4efc954b4556fd0e3aab620589f92b9cfb0a7df26abc985717825ac0da3

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
118KB

MD5
124ebc96e2ec7ab11fd15703297ce316

SHA1
d024e44fd366839df5042bd4ba4c1a562bd866a4

SHA256
20afc8c2473307be46ddef7a60c8432bec32ecdcb10d382e50b6513b87209183

SHA512
f3f801d83ca113af93e6779a820e4a11a0495bbfa6563dc6b1136df8f4e3fbf16176eccee20b9d7aefe354fb7dd2a45bb239579f5a60e1525ffcaf7ba286ebbc

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
491KB

MD5
0242a2160aa6501a1e66fac265d5891c

SHA1
7ce7aeac02a8fdd36bb4b0e9d1009e8a2664642d

SHA256
7dbff466f89875bdfe3eebd4dd069a41703f714904fd2e659a4fd2addec3e681

SHA512
19972771ae2147ede708c5f717b478561b42d7c9b662570a965388c5f1823fdc622842be5b0feb9ea48926ab1333c064a8ebf1fda7832f1a1916da5d8f8fa48b

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
345KB

MD5
111480f187cb8897915b8823c6ff037d

SHA1
742197bd0297ad60cc3087c7e1dc97ae6b99c980

SHA256
44823d575f20204365cb7370465f1cac808762abef79f58c290a17eacfa14719

SHA512
b7eb3e0307b34ef69aebc2e3d4a1ca82318ad90b312df53119e044348b0898b703779df3b2db558beb486da8b709b16c8fbb4d253c2b2f4b516c3b065c1961d6

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
353KB

MD5
bb59e49fc6c7c7c58805155d179aa76f

SHA1
b82e68201984972c5d4b169855379da1f0af12e0

SHA256
f245de9857188cd7f77a00649d9a0e3841e76c6a6cd694d4017219e95d736a1a

SHA512
c06459f2ebd466f4b1aa0a2b7354de8f0a7bb99e760f6b1bbb57323ebd723f31f5b5a03317554324fa1edb3e6d75aff87ce65c99ff52e6597c98b974933da8b6

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
340KB

MD5
d722b764a24fecb24fc9e5e058d76a27

SHA1
f65df4b6c4bb929e0bb1c6c1d8df7dbadd6c64a7

SHA256
ae3f478562bdb779152406340ba0c8c6fcaae58902ac89a42908d209356b537c

SHA512
8884705cb5b60d1c1f247cd1898b385e7165e95c16b46630836f7fb412c9787b6075d371411c0e137fa2fe0890c6e38f55de7fa8989f41d5fae5af7af5ab3313

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
287KB

MD5
9096003f3c5cb2644ab7d2aad2b32697

SHA1
2f9e758b1c54eab8199eabdabc3ac7f1ce535f31

SHA256
d4e28ea90f3bcefd558e18a48ce17846e7bf0b95f893767ad7ad1fb9f0ac86cb

SHA512
a9a84758976b2abe4f22b212ca40fd45e0531b363da4f91921424bd91f9fb59fff5176048a8dfc7746cd06513bb21b39587a983df8c40af54ce169c9024375f6

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
154KB

MD5
1d9afc9e399c847db4a0d4d771282176

SHA1
73fc787bd394f03c0651868c9b922351ce87c761

SHA256
0e5b6669f2b4c5d475c3fcd8c16f54c505a586925bca40e35cbfcf4a753f5b5b

SHA512
96e0b70f0ef63bd75d74ff83af277d2bce58f610df2744f88c142203b1afa0d22ff5ceb6671d39f54a4748f82feb4cbe19fff600373bbb2beb7f55726b032e61

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
126KB

MD5
d295e2d71d889a86b62ed8859b177150

SHA1
16bb7aeb8eb5c914f37d4796d969161dac892e59

SHA256
1d7178bbc4bfd04399a410d5b29e6d13dfb9f87901745f6280144ba9641ad0c0

SHA512
24b2dcd9fc1c1c81273021b336e776ca8071c3001b887db6ca1628f6906938610eac9d13ffbf01f68c8f0b496f6a19c3fed50b69d4a927073c1212673641211f

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
126KB

MD5
1f97143c458e0bae30171412153818db

SHA1
806c88589c3126b6d540a9364f32cc38ceac4780

SHA256
655e0e9c14529c2a2459308cfa1cd962b824cde5eb1dd2904274f7c71c8901e8

SHA512
ffb9ea93658581014a78629af85574ed238ba1949619ce9ecae5e0c89d68068f9d704dd1c64a9e21181818a11d1fca7eb6806dcc3ff213ca9260a4aa7447ea3a

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
592KB

MD5
764e8503570122a2f4960f15dcc20380

SHA1
2a0c7f7da7107c19086fa2818ae2d2af3cc36e0f

SHA256
e092b17d4d36a203227972b22589ba9f18d98e3922d3c592f2934c413130943a

SHA512
39118778f34df81b34f6332411ebac33524a4a9a83a62b020c390656676057bb5bf44fb232ae749370e90062f47efddab882e3329187c03926d875164f418037

Download Submit
\Windows\rss\csrss.exe

Filesize
425KB

MD5
f373a5215289e84764b97efd8e97a0b0

SHA1
94fb02271feb8bb00eef544ee75fa3e8946998fc

SHA256
57163a837e399c3222c787bf0fbac019c59928bc8436bb3014af237fc9cadec4

SHA512
d4f697c07fb8fe066c40a0e13e2f535a5cb71902f9463fba3e1969d18e6466f7c0d485b73e467091c8f7215de50a1cee7ce21078b58a67968eb841901898b07d

Download Submit
memory/1544-154-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1544-150-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1620-60-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1620-42-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1724-4-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1724-0-0x00000000049D0000-0x0000000004DC8000-memory.dmp

Filesize
4.0MB

Download
memory/1724-1-0x00000000049D0000-0x0000000004DC8000-memory.dmp

Filesize
4.0MB

Download
memory/1724-8-0x0000000004DD0000-0x00000000056BB000-memory.dmp

Filesize
8.9MB

Download
memory/1724-2-0x0000000004DD0000-0x00000000056BB000-memory.dmp

Filesize
8.9MB

Download
memory/1724-3-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1724-6-0x00000000049D0000-0x0000000004DC8000-memory.dmp

Filesize
4.0MB

Download
memory/1892-115-0x0000000004A00000-0x0000000004DF8000-memory.dmp

Filesize
4.0MB

Download
memory/1892-161-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1892-173-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1892-20-0x0000000004A00000-0x0000000004DF8000-memory.dmp

Filesize
4.0MB

Download
memory/1892-171-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1892-130-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1892-116-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1892-146-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1892-111-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1892-169-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1892-167-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1892-19-0x0000000004A00000-0x0000000004DF8000-memory.dmp

Filesize
4.0MB

Download
memory/1892-165-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1892-163-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1892-155-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1892-23-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1892-157-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/1892-159-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/2780-18-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/2780-9-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/2780-7-0x0000000004930000-0x0000000004D28000-memory.dmp

Filesize
4.0MB

Download
memory/2780-5-0x0000000004930000-0x0000000004D28000-memory.dmp

Filesize
4.0MB

Download
memory/2780-21-0x0000000004930000-0x0000000004D28000-memory.dmp

Filesize
4.0MB

Download
memory/2900-160-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2900-156-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2900-153-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads