glupteba | efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc

General

Target

efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Size

4.2MB
MD5

1d74dbbae5bf066eb22ed98eba77e930
SHA1

efca87f334f55ffecb92e598f561423186f724b3
SHA256

efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc
SHA512

69b040807f008a4c40d12320e3df34655a8c64771456f3d20f47b9fe059a5728636629fbc13667acd22aa1b65846385a6ce96a8a6be0847e25db2002756f85ac
SSDEEP

49152:BKOdvREmi8iTwPpeYBnAu4QJI7RESGN2UNQnUyHdr+bW0USBgrsqhT/DWSjgq2Sf:oOLEfT6eYBhfhWV+b2vbWNq2SbuhRq

Score

10^/10

glupteba dropper loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3388-2-0x00000000040D0000-0x00000000049BB000-memory.dmp	family_glupteba
behavioral2/memory/3388-3-0x0000000000400000-0x0000000001DF9000-memory.dmp	family_glupteba
behavioral2/memory/3388-53-0x00000000040D0000-0x00000000049BB000-memory.dmp	family_glupteba
behavioral2/memory/2808-55-0x0000000000400000-0x0000000001DF9000-memory.dmp	family_glupteba

Modifies data under HKEY_USERS 64 IoCs

Processes:

efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeefde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe

pid	process
1636	powershell.exe
1636	powershell.exe
3388	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
3388	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeefde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe

description	pid	process
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	3388	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
Token: SeImpersonatePrivilege	3388	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe

description	pid	process	target process
PID 3388 wrote to memory of 1636	3388	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe	powershell.exe
PID 3388 wrote to memory of 1636	3388	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe	powershell.exe
PID 3388 wrote to memory of 1636	3388	efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
"C:\Users\Admin\AppData\Local\Temp\efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Users\Admin\AppData\Local\Temp\efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe
"C:\Users\Admin\AppData\Local\Temp\efde6e7339bba5d9a33f8dfd084f6d2209dbe7960ed8bf7960c05fe7d7de9acc.exe"
2⤵
- Modifies data under HKEY_USERS
PID:2808

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m3bednkk.tfa.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1636-26-0x0000000070D90000-0x0000000070DDC000-memory.dmp

Filesize
304KB

Download
memory/1636-5-0x00000000028E0000-0x0000000002916000-memory.dmp

Filesize
216KB

Download
memory/1636-25-0x00000000071A0000-0x00000000071D4000-memory.dmp

Filesize
208KB

Download
memory/1636-50-0x0000000074B20000-0x00000000752D1000-memory.dmp

Filesize
7.7MB

Download
memory/1636-6-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/1636-7-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/1636-8-0x0000000005080000-0x00000000056AA000-memory.dmp

Filesize
6.2MB

Download
memory/1636-9-0x0000000004EE0000-0x0000000004F02000-memory.dmp

Filesize
136KB

Download
memory/1636-10-0x0000000004F80000-0x0000000004FE6000-memory.dmp

Filesize
408KB

Download
memory/1636-11-0x0000000004FF0000-0x0000000005056000-memory.dmp

Filesize
408KB

Download
memory/1636-12-0x0000000005870000-0x0000000005BC7000-memory.dmp

Filesize
3.3MB

Download
memory/1636-47-0x0000000007480000-0x0000000007488000-memory.dmp

Filesize
32KB

Download
memory/1636-21-0x0000000005D90000-0x0000000005DAE000-memory.dmp

Filesize
120KB

Download
memory/1636-22-0x0000000005DD0000-0x0000000005E1C000-memory.dmp

Filesize
304KB

Download
memory/1636-23-0x00000000062E0000-0x0000000006326000-memory.dmp

Filesize
280KB

Download
memory/1636-24-0x000000007FB80000-0x000000007FB90000-memory.dmp

Filesize
64KB

Download
memory/1636-4-0x0000000074B20000-0x00000000752D1000-memory.dmp

Filesize
7.7MB

Download
memory/1636-27-0x0000000070FE0000-0x0000000071337000-memory.dmp

Filesize
3.3MB

Download
memory/1636-46-0x0000000007460000-0x000000000747A000-memory.dmp

Filesize
104KB

Download
memory/1636-37-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/1636-36-0x0000000007200000-0x000000000721E000-memory.dmp

Filesize
120KB

Download
memory/1636-38-0x0000000007220000-0x00000000072C4000-memory.dmp

Filesize
656KB

Download
memory/1636-39-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download
memory/1636-40-0x0000000007350000-0x000000000736A000-memory.dmp

Filesize
104KB

Download
memory/1636-41-0x0000000007390000-0x000000000739A000-memory.dmp

Filesize
40KB

Download
memory/1636-42-0x00000000074A0000-0x0000000007536000-memory.dmp

Filesize
600KB

Download
memory/1636-43-0x00000000073B0000-0x00000000073C1000-memory.dmp

Filesize
68KB

Download
memory/1636-44-0x0000000007400000-0x000000000740E000-memory.dmp

Filesize
56KB

Download
memory/1636-45-0x0000000007410000-0x0000000007425000-memory.dmp

Filesize
84KB

Download
memory/2808-54-0x0000000003CB0000-0x00000000040B3000-memory.dmp

Filesize
4.0MB

Download
memory/2808-55-0x0000000000400000-0x0000000001DF9000-memory.dmp

Filesize
26.0MB

Download
memory/3388-3-0x0000000000400000-0x0000000001DF9000-memory.dmp

Filesize
26.0MB

Download
memory/3388-2-0x00000000040D0000-0x00000000049BB000-memory.dmp

Filesize
8.9MB

Download
memory/3388-1-0x0000000003CC0000-0x00000000040C2000-memory.dmp

Filesize
4.0MB

Download
memory/3388-52-0x0000000003CC0000-0x00000000040C2000-memory.dmp

Filesize
4.0MB

Download
memory/3388-53-0x00000000040D0000-0x00000000049BB000-memory.dmp

Filesize
8.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads