Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 22:18
Static task
static1
Behavioral task
behavioral1
Sample
63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe
Resource
win7-20240220-en
General
-
Target
63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe
-
Size
4.2MB
-
MD5
1765eea0ab2534803ef6c66bc577050e
-
SHA1
125c83448ae731cae23bf610c10442c6f65142f2
-
SHA256
63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43
-
SHA512
f7d6c60c886d6b3683cfaec2bdf7fde5027dd9bb80de59266a758262eebbf8f102ecdd73448841813e446c79c780a3401e24196cbd332d5c66fa99fcd376ace1
-
SSDEEP
98304:8U3hL1ts8dbSY9vNf0GiZt5Zc1goZjyjpOQ2UuV2d5K67AFdMy:NxL1dd9NNfxiZt5CKGmjpOQTQe7Dy
Malware Config
Signatures
-
Glupteba payload 9 IoCs
resource yara_rule behavioral2/memory/3264-2-0x00000000051D0000-0x0000000005ABB000-memory.dmp family_glupteba behavioral2/memory/3264-3-0x0000000000400000-0x0000000003009000-memory.dmp family_glupteba behavioral2/memory/3264-4-0x0000000000400000-0x0000000003009000-memory.dmp family_glupteba behavioral2/memory/3264-5-0x0000000000400000-0x0000000003009000-memory.dmp family_glupteba behavioral2/memory/3264-7-0x00000000051D0000-0x0000000005ABB000-memory.dmp family_glupteba behavioral2/memory/3264-43-0x0000000000400000-0x0000000003009000-memory.dmp family_glupteba behavioral2/memory/3264-62-0x0000000000400000-0x0000000003009000-memory.dmp family_glupteba behavioral2/memory/3264-73-0x0000000000400000-0x0000000003009000-memory.dmp family_glupteba behavioral2/memory/4144-76-0x0000000000400000-0x0000000003009000-memory.dmp family_glupteba -
Detects Windows executables referencing non-Windows User-Agents 7 IoCs
resource yara_rule behavioral2/memory/3264-3-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3264-4-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3264-5-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3264-43-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3264-62-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3264-73-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/4144-76-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables Discord URL observed in first stage droppers 7 IoCs
resource yara_rule behavioral2/memory/3264-3-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3264-4-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3264-5-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3264-43-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3264-62-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3264-73-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/4144-76-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 7 IoCs
resource yara_rule behavioral2/memory/3264-3-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3264-4-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3264-5-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3264-43-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3264-62-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3264-73-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/4144-76-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 7 IoCs
resource yara_rule behavioral2/memory/3264-3-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3264-4-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3264-5-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3264-43-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3264-62-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3264-73-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/4144-76-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables referencing many varying, potentially fake Windows User-Agents 7 IoCs
resource yara_rule behavioral2/memory/3264-3-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3264-4-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3264-5-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3264-43-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3264-62-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3264-73-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/4144-76-0x0000000000400000-0x0000000003009000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
Program crash 1 IoCs
pid pid_target Process procid_target 2924 3264 WerFault.exe 90 -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2484 powershell.exe 2484 powershell.exe 3264 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe 3264 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe 4168 powershell.exe 4168 powershell.exe 4168 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 3264 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Token: SeImpersonatePrivilege 3264 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe Token: SeDebugPrivilege 4168 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3264 wrote to memory of 2484 3264 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe 92 PID 3264 wrote to memory of 2484 3264 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe 92 PID 3264 wrote to memory of 2484 3264 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe 92 PID 4144 wrote to memory of 4168 4144 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe 109 PID 4144 wrote to memory of 4168 4144 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe 109 PID 4144 wrote to memory of 4168 4144 63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe"C:\Users\Admin\AppData\Local\Temp\63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe"C:\Users\Admin\AppData\Local\Temp\63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 7802⤵
- Program crash
PID:2924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:2796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3264 -ip 32641⤵PID:1968
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82