glupteba | 1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd

Analysis

max time kernel
45s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Size

4.2MB
MD5

2b79cc8cc1043e846fec6f9c55e9b8f3
SHA1

f9512bf94642f3d26b631ad74ff57d3c35c10bdf
SHA256

1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd
SHA512

f475d367267d4f74b3ecf758c1b434ce60f54bb7d3fd74c8e14748161fbcad80d255fdf703ff7d7314b0a7fbb7b17c006eeae6596772d4b3df072fb0138f50b9
SSDEEP

98304:NIBNXOOfwLGhP6KRoj027D5HGyNAiNcOh9MZ99WifgA28ff94ZO:Ujfa7j0YDNAHCC9Miz28ffp

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/636-2-0x0000000005260000-0x0000000005B4B000-memory.dmp	family_glupteba
behavioral1/memory/636-3-0x0000000000400000-0x0000000003111000-memory.dmp	family_glupteba
behavioral1/memory/636-9-0x0000000000400000-0x0000000003111000-memory.dmp	family_glupteba
behavioral1/memory/636-26-0x0000000005260000-0x0000000005B4B000-memory.dmp	family_glupteba
behavioral1/memory/636-31-0x0000000000400000-0x0000000003111000-memory.dmp	family_glupteba
behavioral1/memory/636-50-0x0000000000400000-0x0000000003111000-memory.dmp	family_glupteba
behavioral1/memory/3180-61-0x0000000000400000-0x0000000003111000-memory.dmp	family_glupteba
behavioral1/memory/636-90-0x0000000000400000-0x0000000003111000-memory.dmp	family_glupteba
behavioral1/memory/3180-110-0x0000000000400000-0x0000000003111000-memory.dmp	family_glupteba
behavioral1/memory/3180-123-0x0000000000400000-0x0000000003111000-memory.dmp	family_glupteba
behavioral1/memory/3180-157-0x0000000000400000-0x0000000003111000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2304 netsh.exe

pid	process
2304	netsh.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exe1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exepowershell.exe1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exepowershell.exe

pid	process
3712	powershell.exe
3712	powershell.exe
636	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
636	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
2068	powershell.exe
2068	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exe1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	636	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Token: SeImpersonatePrivilege	636	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.execmd.exe

description	pid	process	target process
PID 636 wrote to memory of 3712	636	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe	powershell.exe
PID 636 wrote to memory of 3712	636	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe	powershell.exe
PID 636 wrote to memory of 3712	636	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe	powershell.exe
PID 3180 wrote to memory of 3148	3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe	powershell.exe
PID 3180 wrote to memory of 3148	3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe	powershell.exe
PID 3180 wrote to memory of 3148	3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe	powershell.exe
PID 3180 wrote to memory of 3628	3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe	cmd.exe
PID 3180 wrote to memory of 3628	3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe	cmd.exe
PID 3628 wrote to memory of 2304	3628	cmd.exe	netsh.exe
PID 3628 wrote to memory of 2304	3628	cmd.exe	netsh.exe
PID 3180 wrote to memory of 2068	3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe	powershell.exe
PID 3180 wrote to memory of 2068	3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe	powershell.exe
PID 3180 wrote to memory of 2068	3180	1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
"C:\Users\Admin\AppData\Local\Temp\1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Users\Admin\AppData\Local\Temp\1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe
"C:\Users\Admin\AppData\Local\Temp\1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd.exe"
2⤵
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4144

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
PID:1484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrpwzqaa.u2f.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
7cd67b018e7e2eb6634792c45bdca101

SHA1
a012037b6dcec23aa39e94b6aa2ca480d5c0cf9d

SHA256
105ec6966ebce6bfd3fe20d952028a069cf690ae67f4f6f3413386dac235833b

SHA512
acaed1ed5dd7018e7af53ebcc091974295311adc41303699d93515db2fb1b90e298314f8a20c71d698824726ba07d66c6dd1da65b84702f5d700a52413780033

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
177c6a71c502bd18d7c59537aacb03ab

SHA1
9d80cf3b9e127e31e88529eb67a147d6d379442b

SHA256
a483b0d8999aa83ff425bbe7a220939d3d3927e155d8de3b67ec6f7d6800c35c

SHA512
5c6acdfb9f4188f056f3758c1128df0051e80e6d01fbb42a8aa6e308473ce9d6085138953632d181207ac23a1baf12ace08815311ffe1f5bb78235fc2337f43e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
9aa93ac57df814309c3f69d88480cc5b

SHA1
37dede2c77cc8f3affcbd766986a6441aaa78d5a

SHA256
08f76323ef918b2f81c94d0b2959980d0e5c7fb627839fc4c3eab3d24fc4f73d

SHA512
c013ea3eaf477545280e964085dd6e4c84184200f9df22636a926afd5684e827dd25ea5a912f6296ecc48448bc009a9c0252f3728430017993debd51eb776dde

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
2b79cc8cc1043e846fec6f9c55e9b8f3

SHA1
f9512bf94642f3d26b631ad74ff57d3c35c10bdf

SHA256
1c374a4912aecb61ea99db9b0c9b36010c6de304fecd6ee97ad169f2eb098dfd

SHA512
f475d367267d4f74b3ecf758c1b434ce60f54bb7d3fd74c8e14748161fbcad80d255fdf703ff7d7314b0a7fbb7b17c006eeae6596772d4b3df072fb0138f50b9

Download Submit
memory/636-50-0x0000000000400000-0x0000000003111000-memory.dmp

Filesize
45.1MB

Download
memory/636-90-0x0000000000400000-0x0000000003111000-memory.dmp

Filesize
45.1MB

Download
memory/636-3-0x0000000000400000-0x0000000003111000-memory.dmp

Filesize
45.1MB

Download
memory/636-2-0x0000000005260000-0x0000000005B4B000-memory.dmp

Filesize
8.9MB

Download
memory/636-31-0x0000000000400000-0x0000000003111000-memory.dmp

Filesize
45.1MB

Download
memory/636-9-0x0000000000400000-0x0000000003111000-memory.dmp

Filesize
45.1MB

Download
memory/636-1-0x0000000004E60000-0x000000000525C000-memory.dmp

Filesize
4.0MB

Download
memory/636-26-0x0000000005260000-0x0000000005B4B000-memory.dmp

Filesize
8.9MB

Download
memory/636-25-0x0000000004E60000-0x000000000525C000-memory.dmp

Filesize
4.0MB

Download
memory/2068-96-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/2068-97-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/2068-111-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/2068-108-0x00000000058D0000-0x0000000005C24000-memory.dmp

Filesize
3.3MB

Download
memory/2068-112-0x00000000707D0000-0x000000007081C000-memory.dmp

Filesize
304KB

Download
memory/2068-125-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2068-95-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2068-113-0x0000000070950000-0x0000000070CA4000-memory.dmp

Filesize
3.3MB

Download
memory/3148-89-0x0000000007F30000-0x0000000007F44000-memory.dmp

Filesize
80KB

Download
memory/3148-75-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/3148-63-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/3148-93-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3148-62-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3148-64-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/3148-88-0x0000000007EC0000-0x0000000007ED1000-memory.dmp

Filesize
68KB

Download
memory/3148-87-0x0000000007B90000-0x0000000007C33000-memory.dmp

Filesize
652KB

Download
memory/3148-77-0x0000000070970000-0x0000000070CC4000-memory.dmp

Filesize
3.3MB

Download
memory/3148-74-0x0000000006360000-0x00000000066B4000-memory.dmp

Filesize
3.3MB

Download
memory/3148-76-0x00000000707D0000-0x000000007081C000-memory.dmp

Filesize
304KB

Download
memory/3180-110-0x0000000000400000-0x0000000003111000-memory.dmp

Filesize
45.1MB

Download
memory/3180-157-0x0000000000400000-0x0000000003111000-memory.dmp

Filesize
45.1MB

Download
memory/3180-98-0x0000000004D80000-0x0000000005188000-memory.dmp

Filesize
4.0MB

Download
memory/3180-61-0x0000000000400000-0x0000000003111000-memory.dmp

Filesize
45.1MB

Download
memory/3180-123-0x0000000000400000-0x0000000003111000-memory.dmp

Filesize
45.1MB

Download
memory/3180-60-0x0000000004D80000-0x0000000005188000-memory.dmp

Filesize
4.0MB

Download
memory/3712-28-0x0000000006BF0000-0x0000000006C66000-memory.dmp

Filesize
472KB

Download
memory/3712-29-0x0000000008080000-0x00000000086FA000-memory.dmp

Filesize
6.5MB

Download
memory/3712-55-0x0000000007DC0000-0x0000000007DC8000-memory.dmp

Filesize
32KB

Download
memory/3712-54-0x0000000007DD0000-0x0000000007DEA000-memory.dmp

Filesize
104KB

Download
memory/3712-53-0x0000000007D90000-0x0000000007DA4000-memory.dmp

Filesize
80KB

Download
memory/3712-52-0x0000000007D70000-0x0000000007D7E000-memory.dmp

Filesize
56KB

Download
memory/3712-51-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3712-49-0x0000000007D30000-0x0000000007D41000-memory.dmp

Filesize
68KB

Download
memory/3712-48-0x0000000007E30000-0x0000000007EC6000-memory.dmp

Filesize
600KB

Download
memory/3712-47-0x0000000007D20000-0x0000000007D2A000-memory.dmp

Filesize
40KB

Download
memory/3712-46-0x0000000007C30000-0x0000000007CD3000-memory.dmp

Filesize
652KB

Download
memory/3712-45-0x0000000007BD0000-0x0000000007BEE000-memory.dmp

Filesize
120KB

Download
memory/3712-35-0x0000000070EF0000-0x0000000071244000-memory.dmp

Filesize
3.3MB

Download
memory/3712-34-0x00000000707D0000-0x000000007081C000-memory.dmp

Filesize
304KB

Download
memory/3712-33-0x0000000007BF0000-0x0000000007C22000-memory.dmp

Filesize
200KB

Download
memory/3712-32-0x000000007FAC0000-0x000000007FAD0000-memory.dmp

Filesize
64KB

Download
memory/3712-30-0x0000000006B50000-0x0000000006B6A000-memory.dmp

Filesize
104KB

Download
memory/3712-58-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3712-27-0x0000000003150000-0x0000000003160000-memory.dmp

Filesize
64KB

Download
memory/3712-24-0x0000000006A10000-0x0000000006A54000-memory.dmp

Filesize
272KB

Download
memory/3712-23-0x00000000066F0000-0x000000000673C000-memory.dmp

Filesize
304KB

Download
memory/3712-22-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/3712-17-0x0000000005FE0000-0x0000000006334000-memory.dmp

Filesize
3.3MB

Download
memory/3712-11-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/3712-10-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/3712-8-0x00000000055D0000-0x00000000055F2000-memory.dmp

Filesize
136KB

Download
memory/3712-4-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3712-5-0x0000000003150000-0x0000000003160000-memory.dmp

Filesize
64KB

Download
memory/3712-6-0x0000000003000000-0x0000000003036000-memory.dmp

Filesize
216KB

Download
memory/3712-7-0x0000000005810000-0x0000000005E38000-memory.dmp

Filesize
6.2MB

Download
memory/4144-134-0x00000000054E0000-0x0000000005834000-memory.dmp

Filesize
3.3MB

Download
memory/4144-140-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4144-141-0x00000000707D0000-0x000000007081C000-memory.dmp

Filesize
304KB

Download
memory/4144-128-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4144-127-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4144-126-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download