glupteba | 9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9

Analysis

max time kernel
15s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
20-04-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Size

4.2MB
MD5

80df3dfe061cc8643c3028c9d9ebcda8
SHA1

070fbaa876f3921e3046969f93464ece33940fb6
SHA256

9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9
SHA512

1c4b3f81446dc6687703a036d751e51cc324f59902b73932e1b9eac4958da3186ddbda799bf62311b06e1eb599082849b2b9137044b2ea48f29399ae0762c53f
SSDEEP

98304:jVFRqPMdPA984H0WMAw6acMgLNchhd+W2lPIIo31xn1vrLR/3Lzs:ZFYkS+E0uawLNQ+/9Bo7/c

Score

10^/10

glupteba dropper evasion loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3896-2-0x0000000004090000-0x000000000497B000-memory.dmp	family_glupteba
behavioral2/memory/3896-3-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral2/memory/1792-54-0x0000000003FA0000-0x000000000488B000-memory.dmp	family_glupteba
behavioral2/memory/1792-55-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral2/memory/3896-66-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral2/memory/1792-149-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4012 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

968 csrss.exe

pid	process
4012	netsh.exe

pid	process
968	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe

Drops file in Windows directory 2 IoCs

Processes:

9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe

description	ioc	process
File opened for modification	C:\Windows\rss	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
File created	C:\Windows\rss\csrss.exe	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exe9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exepowershell.exe9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exepowershell.exepowershell.exe

pid	process
4832	powershell.exe
4832	powershell.exe
3896	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
3896	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
2124	powershell.exe
2124	powershell.exe
1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
2600	powershell.exe
2600	powershell.exe
3212	powershell.exe
3212	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exe9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	3896	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Token: SeImpersonatePrivilege	3896	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.execmd.exe

description	pid	process	target process
PID 3896 wrote to memory of 4832	3896	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	powershell.exe
PID 3896 wrote to memory of 4832	3896	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	powershell.exe
PID 3896 wrote to memory of 4832	3896	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	powershell.exe
PID 1792 wrote to memory of 2124	1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	powershell.exe
PID 1792 wrote to memory of 2124	1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	powershell.exe
PID 1792 wrote to memory of 2124	1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	powershell.exe
PID 1792 wrote to memory of 3344	1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	cmd.exe
PID 1792 wrote to memory of 3344	1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	cmd.exe
PID 3344 wrote to memory of 4012	3344	cmd.exe	netsh.exe
PID 3344 wrote to memory of 4012	3344	cmd.exe	netsh.exe
PID 1792 wrote to memory of 2600	1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	powershell.exe
PID 1792 wrote to memory of 2600	1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	powershell.exe
PID 1792 wrote to memory of 2600	1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	powershell.exe
PID 1792 wrote to memory of 3212	1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	powershell.exe
PID 1792 wrote to memory of 3212	1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	powershell.exe
PID 1792 wrote to memory of 3212	1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	powershell.exe
PID 1792 wrote to memory of 968	1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	csrss.exe
PID 1792 wrote to memory of 968	1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	csrss.exe
PID 1792 wrote to memory of 968	1792	9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
"C:\Users\Admin\AppData\Local\Temp\9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Users\Admin\AppData\Local\Temp\9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe
"C:\Users\Admin\AppData\Local\Temp\9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9.exe"
2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
PID:968

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5rtyycq1.ozr.psm1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
4bede930cccb80946dd832a7e6444cb4

SHA1
d7b26439d1099fee3bb57de1010947b09087c126

SHA256
f73aa1fccd146ae5217d368400ccee9118a274b3e4e2c3f2ec0fb481f67d5c04

SHA512
84c837500af99e2251b424b630633bc0cc11e5dbab13e4cbb4b8081b354f54d430e04a078e93e4017fc0a9836ca55256e9cae8b20c4ad4453dfb559e895583ff

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
b529ce289febff8da3d4030f94bafaad

SHA1
650291dea16ed6dba3f0d37b7b6df321099418ae

SHA256
9a5210882d1ac2a6825dc0bcd59e121d15f99ccf2ddbfca924910c367495ff8c

SHA512
74ac6cfb27e53f1cc02fa23a8355681f4af271b25b4480cf48f6d2574b43f1f02752e55c9d2d075ac2dadca3f4832e253fa515b842e702319c74a7a15be9bf8c

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
80df3dfe061cc8643c3028c9d9ebcda8

SHA1
070fbaa876f3921e3046969f93464ece33940fb6

SHA256
9a06f3ce468f5b672a4bd901a4fe3c042ee7ecb64efe32793e3dd03626d1e7a9

SHA512
1c4b3f81446dc6687703a036d751e51cc324f59902b73932e1b9eac4958da3186ddbda799bf62311b06e1eb599082849b2b9137044b2ea48f29399ae0762c53f

Download Submit
memory/1792-149-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/1792-114-0x0000000003B90000-0x0000000003F92000-memory.dmp

Filesize
4.0MB

Download
memory/1792-55-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/1792-54-0x0000000003FA0000-0x000000000488B000-memory.dmp

Filesize
8.9MB

Download
memory/1792-52-0x0000000003B90000-0x0000000003F92000-memory.dmp

Filesize
4.0MB

Download
memory/2124-87-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/2124-56-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/2124-84-0x0000000007760000-0x0000000007775000-memory.dmp

Filesize
84KB

Download
memory/2124-83-0x0000000007710000-0x0000000007721000-memory.dmp

Filesize
68KB

Download
memory/2124-81-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/2124-82-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/2124-80-0x00000000073E0000-0x0000000007484000-memory.dmp

Filesize
656KB

Download
memory/2124-70-0x0000000070580000-0x00000000705CC000-memory.dmp

Filesize
304KB

Download
memory/2124-71-0x0000000070790000-0x0000000070AE7000-memory.dmp

Filesize
3.3MB

Download
memory/2124-69-0x000000007F080000-0x000000007F090000-memory.dmp

Filesize
64KB

Download
memory/2124-68-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/2124-67-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/2124-57-0x0000000005C90000-0x0000000005FE7000-memory.dmp

Filesize
3.3MB

Download
memory/2600-101-0x0000000005D00000-0x0000000006057000-memory.dmp

Filesize
3.3MB

Download
memory/2600-104-0x0000000070580000-0x00000000705CC000-memory.dmp

Filesize
304KB

Download
memory/2600-90-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/2600-92-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2600-91-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2600-103-0x000000007F1D0000-0x000000007F1E0000-memory.dmp

Filesize
64KB

Download
memory/2600-105-0x0000000070EC0000-0x0000000071217000-memory.dmp

Filesize
3.3MB

Download
memory/2600-118-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/2600-116-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2600-115-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/3212-119-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/3212-120-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3212-121-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3896-53-0x0000000003C90000-0x0000000004089000-memory.dmp

Filesize
4.0MB

Download
memory/3896-1-0x0000000003C90000-0x0000000004089000-memory.dmp

Filesize
4.0MB

Download
memory/3896-3-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/3896-2-0x0000000004090000-0x000000000497B000-memory.dmp

Filesize
8.9MB

Download
memory/3896-66-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/4832-9-0x0000000004EB0000-0x0000000004ED2000-memory.dmp

Filesize
136KB

Download
memory/4832-6-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4832-26-0x0000000070580000-0x00000000705CC000-memory.dmp

Filesize
304KB

Download
memory/4832-25-0x00000000071A0000-0x00000000071D4000-memory.dmp

Filesize
208KB

Download
memory/4832-24-0x000000007EE70000-0x000000007EE80000-memory.dmp

Filesize
64KB

Download
memory/4832-23-0x0000000006CF0000-0x0000000006D36000-memory.dmp

Filesize
280KB

Download
memory/4832-22-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

Filesize
304KB

Download
memory/4832-21-0x0000000005D70000-0x0000000005D8E000-memory.dmp

Filesize
120KB

Download
memory/4832-20-0x0000000005880000-0x0000000005BD7000-memory.dmp

Filesize
3.3MB

Download
memory/4832-37-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4832-7-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4832-36-0x00000000071E0000-0x00000000071FE000-memory.dmp

Filesize
120KB

Download
memory/4832-11-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/4832-38-0x0000000007200000-0x00000000072A4000-memory.dmp

Filesize
656KB

Download
memory/4832-40-0x0000000007330000-0x000000000734A000-memory.dmp

Filesize
104KB

Download
memory/4832-27-0x0000000070700000-0x0000000070A57000-memory.dmp

Filesize
3.3MB

Download
memory/4832-8-0x0000000005120000-0x000000000574A000-memory.dmp

Filesize
6.2MB

Download
memory/4832-39-0x0000000007970000-0x0000000007FEA000-memory.dmp

Filesize
6.5MB

Download
memory/4832-10-0x0000000005070000-0x00000000050D6000-memory.dmp

Filesize
408KB

Download
memory/4832-5-0x00000000028A0000-0x00000000028D6000-memory.dmp

Filesize
216KB

Download
memory/4832-50-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/4832-47-0x00000000074D0000-0x00000000074D8000-memory.dmp

Filesize
32KB

Download
memory/4832-46-0x00000000074F0000-0x000000000750A000-memory.dmp

Filesize
104KB

Download
memory/4832-45-0x00000000073F0000-0x0000000007405000-memory.dmp

Filesize
84KB

Download
memory/4832-44-0x00000000073E0000-0x00000000073EE000-memory.dmp

Filesize
56KB

Download
memory/4832-43-0x00000000073A0000-0x00000000073B1000-memory.dmp

Filesize
68KB

Download
memory/4832-4-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/4832-42-0x0000000007430000-0x00000000074C6000-memory.dmp

Filesize
600KB

Download
memory/4832-41-0x0000000007370000-0x000000000737A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads