glupteba | cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb

Analysis

max time kernel
15s
max time network
17s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
28/03/2024, 22:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Size

4.1MB
MD5

9a43cd3ff62da3ee52afd5adf8b1bcb7
SHA1

cde71e22c08f50ca7d945f66d77ffac77234b24e
SHA256

cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb
SHA512

ec636fc3b1bbea9355bf1bb2c4c6cece1cfa9eb3604e708a20bc5b34713278888ed2bb4bf7a4534fff22d451bb14802b38c747e083fa00c8807a37dc6d1da76a
SSDEEP

98304:TnBT2yxfuzTI5fStKEP/KBtuRmnykiTetptq5ld6zSH5JXyGfEjJg:NqqUKXID/eQ/nIy

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

resource	yara_rule
behavioral2/memory/2200-2-0x0000000002FF0000-0x00000000038DB000-memory.dmp	family_glupteba
behavioral2/memory/2200-3-0x0000000000400000-0x0000000000ECD000-memory.dmp	family_glupteba
behavioral2/memory/2200-301-0x0000000000400000-0x0000000000ECD000-memory.dmp	family_glupteba
behavioral2/memory/2200-303-0x0000000002FF0000-0x00000000038DB000-memory.dmp	family_glupteba
behavioral2/memory/4380-305-0x0000000003000000-0x00000000038EB000-memory.dmp	family_glupteba
behavioral2/memory/4380-306-0x0000000000400000-0x0000000000ECD000-memory.dmp	family_glupteba
behavioral2/memory/4380-801-0x0000000000400000-0x0000000000ECD000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3540	netsh.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4512	powershell.exe
4512	powershell.exe
4512	powershell.exe
2200	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
2200	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
416	powershell.exe
416	powershell.exe
416	powershell.exe
4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
3372	powershell.exe
3372	powershell.exe
3372	powershell.exe
200	powershell.exe
200	powershell.exe
200	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	2200	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Token: SeImpersonatePrivilege	2200	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
Token: SeDebugPrivilege	416	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	200	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 4512	2200	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe	76
PID 2200 wrote to memory of 4512	2200	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe	76
PID 2200 wrote to memory of 4512	2200	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe	76
PID 4380 wrote to memory of 416	4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe	81
PID 4380 wrote to memory of 416	4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe	81
PID 4380 wrote to memory of 416	4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe	81
PID 4380 wrote to memory of 1020	4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe	83
PID 4380 wrote to memory of 1020	4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe	83
PID 1020 wrote to memory of 3540	1020	cmd.exe	85
PID 1020 wrote to memory of 3540	1020	cmd.exe	85
PID 4380 wrote to memory of 3372	4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe	86
PID 4380 wrote to memory of 3372	4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe	86
PID 4380 wrote to memory of 3372	4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe	86
PID 4380 wrote to memory of 200	4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe	88
PID 4380 wrote to memory of 200	4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe	88
PID 4380 wrote to memory of 200	4380	cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe	88

C:\Users\Admin\AppData\Local\Temp\cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
"C:\Users\Admin\AppData\Local\Temp\cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Users\Admin\AppData\Local\Temp\cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe
  "C:\Users\Admin\AppData\Local\Temp\cb7714b8f51c3ca98968cea277e9bd966936f728370795b6bfd5af3ad9906eeb.exe"
  2⤵
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:416
- - C:\Windows\System32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:3540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x3bs0akx.sv0.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
b85754663510b52aa718fb2feac8ad8b

SHA1
bfcb7a34f5f0183727e0051957cdc32fd27287c4

SHA256
832e9beaf7841db709f17877d7622666d372a2fe4e58c33f9d5b3c12115941a1

SHA512
64ed24d935bbfa99ac20c433801722a6e0ae8ba45194076191d91c4a91ded6997995449030d704a7fb5c9443316ed332e7051729c6559466baf4c911000f3f65

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
4baea937d1c2954c1b23b972fe5e12c4

SHA1
767312931877c9a20341920ab40efdf6c56af70c

SHA256
322955e28d890040ddbc52e51593bac1c7eb8d683234c1d088d22254fc92ed94

SHA512
bdb46576668464692a23d92e18c0244a63acb93403f2fbece23e7c2614e8123653d1f3e9aa9354941cd1e6c9272a332022c44a0084ec7a54b8ca7fb7918ab784

Download Submit
memory/200-1037-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/200-822-0x0000000070800000-0x000000007084B000-memory.dmp

Filesize
300KB

Download
memory/200-828-0x0000000007080000-0x0000000007090000-memory.dmp

Filesize
64KB

Download
memory/200-823-0x0000000070850000-0x0000000070BA0000-memory.dmp

Filesize
3.3MB

Download
memory/200-821-0x000000007EAF0000-0x000000007EB00000-memory.dmp

Filesize
64KB

Download
memory/200-800-0x0000000007080000-0x0000000007090000-memory.dmp

Filesize
64KB

Download
memory/200-798-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/200-799-0x0000000007080000-0x0000000007090000-memory.dmp

Filesize
64KB

Download
memory/416-334-0x0000000070850000-0x0000000070BA0000-memory.dmp

Filesize
3.3MB

Download
memory/416-339-0x0000000008E20000-0x0000000008EC5000-memory.dmp

Filesize
660KB

Download
memory/416-310-0x0000000004300000-0x0000000004310000-memory.dmp

Filesize
64KB

Download
memory/416-311-0x0000000004300000-0x0000000004310000-memory.dmp

Filesize
64KB

Download
memory/416-312-0x0000000007350000-0x00000000076A0000-memory.dmp

Filesize
3.3MB

Download
memory/416-313-0x00000000078B0000-0x00000000078FB000-memory.dmp

Filesize
300KB

Download
memory/416-332-0x000000007E790000-0x000000007E7A0000-memory.dmp

Filesize
64KB

Download
memory/416-333-0x0000000070800000-0x000000007084B000-memory.dmp

Filesize
300KB

Download
memory/416-309-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/416-550-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/416-340-0x0000000004300000-0x0000000004310000-memory.dmp

Filesize
64KB

Download
memory/2200-3-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/2200-2-0x0000000002FF0000-0x00000000038DB000-memory.dmp

Filesize
8.9MB

Download
memory/2200-301-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/2200-303-0x0000000002FF0000-0x00000000038DB000-memory.dmp

Filesize
8.9MB

Download
memory/2200-1-0x0000000002BE0000-0x0000000002FE8000-memory.dmp

Filesize
4.0MB

Download
memory/3372-553-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/3372-582-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3372-574-0x0000000070800000-0x000000007084B000-memory.dmp

Filesize
300KB

Download
memory/3372-577-0x0000000070850000-0x0000000070BA0000-memory.dmp

Filesize
3.3MB

Download
memory/3372-576-0x000000007F150000-0x000000007F160000-memory.dmp

Filesize
64KB

Download
memory/3372-795-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/4380-304-0x0000000002B00000-0x0000000002EF9000-memory.dmp

Filesize
4.0MB

Download
memory/4380-306-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/4380-305-0x0000000003000000-0x00000000038EB000-memory.dmp

Filesize
8.9MB

Download
memory/4380-801-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/4380-575-0x0000000002B00000-0x0000000002EF9000-memory.dmp

Filesize
4.0MB

Download
memory/4512-82-0x0000000009BB0000-0x0000000009C55000-memory.dmp

Filesize
660KB

Download
memory/4512-35-0x0000000008020000-0x000000000805C000-memory.dmp

Filesize
240KB

Download
memory/4512-83-0x00000000067F0000-0x0000000006800000-memory.dmp

Filesize
64KB

Download
memory/4512-277-0x0000000009D20000-0x0000000009D3A000-memory.dmp

Filesize
104KB

Download
memory/4512-77-0x0000000009B50000-0x0000000009B6E000-memory.dmp

Filesize
120KB

Download
memory/4512-76-0x0000000070730000-0x0000000070A80000-memory.dmp

Filesize
3.3MB

Download
memory/4512-75-0x00000000706E0000-0x000000007072B000-memory.dmp

Filesize
300KB

Download
memory/4512-74-0x0000000009B70000-0x0000000009BA3000-memory.dmp

Filesize
204KB

Download
memory/4512-282-0x0000000009D10000-0x0000000009D18000-memory.dmp

Filesize
32KB

Download
memory/4512-73-0x000000007E820000-0x000000007E830000-memory.dmp

Filesize
64KB

Download
memory/4512-66-0x0000000008E00000-0x0000000008E76000-memory.dmp

Filesize
472KB

Download
memory/4512-84-0x0000000009DA0000-0x0000000009E34000-memory.dmp

Filesize
592KB

Download
memory/4512-16-0x0000000008110000-0x000000000815B000-memory.dmp

Filesize
300KB

Download
memory/4512-15-0x0000000007BC0000-0x0000000007BDC000-memory.dmp

Filesize
112KB

Download
memory/4512-14-0x00000000076E0000-0x0000000007A30000-memory.dmp

Filesize
3.3MB

Download
memory/4512-13-0x0000000007670000-0x00000000076D6000-memory.dmp

Filesize
408KB

Download
memory/4512-12-0x0000000007500000-0x0000000007566000-memory.dmp

Filesize
408KB

Download
memory/4512-300-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/4512-11-0x0000000007460000-0x0000000007482000-memory.dmp

Filesize
136KB

Download
memory/4512-10-0x0000000006E30000-0x0000000007458000-memory.dmp

Filesize
6.2MB

Download
memory/4512-9-0x00000000067F0000-0x0000000006800000-memory.dmp

Filesize
64KB

Download
memory/4512-8-0x00000000067F0000-0x0000000006800000-memory.dmp

Filesize
64KB

Download
memory/4512-7-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/4512-6-0x0000000006750000-0x0000000006786000-memory.dmp

Filesize
216KB

Download