glupteba | 78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17

Analysis

max time kernel
29s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Size

4.1MB
MD5

a3cc819f53614af94777eb52603811f0
SHA1

4266066f2c24b739f26384d0e68b8f280ef610c4
SHA256

78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17
SHA512

1de4de5e6cb203b46f408d0d8ac184e11f5b77fc1e37350c8f453a4d2bfcff2f7ed0feb16389f81216e136589da948583d81af2387e1f85ca770503255923ba2
SSDEEP

98304:Cb4JZ188yFg2NHKKQqaBHENhLOMTEbJ8tA7UUJu481DBG2:xBdQ1naH+hM1NF8W2

Score

10^/10

glupteba dropper evasion loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/396-2-0x0000000004040000-0x000000000492B000-memory.dmp	family_glupteba
behavioral1/memory/396-3-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/5040-47-0x0000000003E20000-0x000000000470B000-memory.dmp	family_glupteba
behavioral1/memory/5040-48-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/396-60-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/5040-115-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/5040-116-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/5040-149-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

760 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

4408 csrss.exe

pid	process
760	netsh.exe

pid	process
4408	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe

Drops file in System32 directory 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe

Drops file in Windows directory 2 IoCs

Processes:

78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe

description	ioc	process
File opened for modification	C:\Windows\rss	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
File created	C:\Windows\rss\csrss.exe	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3112 3604 WerFault.exe powershell.exe

pid	pid_target	process	target process
3112	3604	WerFault.exe	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exe78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exepowershell.exe78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exepowershell.exepowershell.exepowershell.exe

pid	process
3604	powershell.exe
3604	powershell.exe
396	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
396	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
700	powershell.exe
700	powershell.exe
700	powershell.exe
4716	powershell.exe
4716	powershell.exe
4716	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exe78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	396	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Token: SeImpersonatePrivilege	396	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.execmd.execsrss.exe

description	pid	process	target process
PID 396 wrote to memory of 3604	396	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	powershell.exe
PID 396 wrote to memory of 3604	396	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	powershell.exe
PID 396 wrote to memory of 3604	396	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	powershell.exe
PID 5040 wrote to memory of 3472	5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	powershell.exe
PID 5040 wrote to memory of 3472	5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	powershell.exe
PID 5040 wrote to memory of 3472	5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	powershell.exe
PID 5040 wrote to memory of 2480	5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	cmd.exe
PID 5040 wrote to memory of 2480	5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	cmd.exe
PID 2480 wrote to memory of 760	2480	cmd.exe	netsh.exe
PID 2480 wrote to memory of 760	2480	cmd.exe	netsh.exe
PID 5040 wrote to memory of 3928	5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	powershell.exe
PID 5040 wrote to memory of 3928	5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	powershell.exe
PID 5040 wrote to memory of 3928	5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	powershell.exe
PID 5040 wrote to memory of 700	5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	powershell.exe
PID 5040 wrote to memory of 700	5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	powershell.exe
PID 5040 wrote to memory of 700	5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	powershell.exe
PID 5040 wrote to memory of 4408	5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	csrss.exe
PID 5040 wrote to memory of 4408	5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	csrss.exe
PID 5040 wrote to memory of 4408	5040	78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe	csrss.exe
PID 4408 wrote to memory of 4716	4408	csrss.exe	powershell.exe
PID 4408 wrote to memory of 4716	4408	csrss.exe	powershell.exe
PID 4408 wrote to memory of 4716	4408	csrss.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
"C:\Users\Admin\AppData\Local\Temp\78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 2472
3⤵
- Program crash
PID:3112

C:\Users\Admin\AppData\Local\Temp\78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe
"C:\Users\Admin\AppData\Local\Temp\78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17.exe"
2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3604 -ip 3604
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f1srinxy.fpb.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
212dc68f8c941bf78b9b0acf0af766d9

SHA1
24615f24c147b2840f21b85015f088b944f0bef0

SHA256
56a9feb61a299f759165851ef6cf21e046ebc8b84a2e317ea53943b901cf4b00

SHA512
d0a69988fe1c0d2edf4c97509195d1af535eec4327dce6529b10984e1fe59687cee5391c892f0b5d5c8d416fecd26996598bb8f3d7a8d3fafab40fbfe9f06cad

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
22e98b1eb3e047fedb79aa68ff75cc31

SHA1
ccde0bbfaa1a0f9f6a84b380616a995d024f2477

SHA256
a0cd6a2b6fcbbe6df5f1e972e0aa96245c94566c183033f196bbb056c953e1fd

SHA512
6f8cc10802be53311f1f844854eeb5b731335d8616bc7e6a3aaa74219b23d5eb85845d40c66a2cad6776b16da7eafe0796614456ea379d72bb600e53b0977526

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
98d0e36d89eb7b77e27dfb45fdab90da

SHA1
095a8d296797122715295b57c8515f29edcfa983

SHA256
4c3280cef523643e8d9b0299ab06eaad079814dff43900da649da1c141cced8e

SHA512
69bdf9df7fa5a98c472b59020eb0886a41f4fef1e644bace24d0be972f8634689b2de5437590513cfa38336f9ac3e9570e820f95b02d422b291e3afb62ffcf01

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
a3cc819f53614af94777eb52603811f0

SHA1
4266066f2c24b739f26384d0e68b8f280ef610c4

SHA256
78fe4ec0e717a98864e1aa475e44fdca9637e74adcdb9bb6860142c65921ac17

SHA512
1de4de5e6cb203b46f408d0d8ac184e11f5b77fc1e37350c8f453a4d2bfcff2f7ed0feb16389f81216e136589da948583d81af2387e1f85ca770503255923ba2

Download Submit
memory/396-2-0x0000000004040000-0x000000000492B000-memory.dmp

Filesize
8.9MB

Download
memory/396-3-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/396-60-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/396-46-0x0000000003C40000-0x000000000403D000-memory.dmp

Filesize
4.0MB

Download
memory/396-1-0x0000000003C40000-0x000000000403D000-memory.dmp

Filesize
4.0MB

Download
memory/700-142-0x000000007F760000-0x000000007F770000-memory.dmp

Filesize
64KB

Download
memory/700-144-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/700-128-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/700-127-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/700-126-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/700-132-0x0000000070620000-0x0000000070974000-memory.dmp

Filesize
3.3MB

Download
memory/700-131-0x00000000704A0000-0x00000000704EC000-memory.dmp

Filesize
304KB

Download
memory/700-143-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/700-146-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-65-0x0000000070620000-0x0000000070974000-memory.dmp

Filesize
3.3MB

Download
memory/3472-82-0x0000000007C90000-0x0000000007C98000-memory.dmp

Filesize
32KB

Download
memory/3472-80-0x0000000007C60000-0x0000000007C74000-memory.dmp

Filesize
80KB

Download
memory/3472-79-0x0000000007C50000-0x0000000007C5E000-memory.dmp

Filesize
56KB

Download
memory/3472-78-0x0000000007C10000-0x0000000007C21000-memory.dmp

Filesize
68KB

Download
memory/3472-77-0x0000000007CE0000-0x0000000007D76000-memory.dmp

Filesize
600KB

Download
memory/3472-75-0x0000000002E50000-0x0000000002E60000-memory.dmp

Filesize
64KB

Download
memory/3472-81-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

Filesize
104KB

Download
memory/3472-76-0x00000000078F0000-0x0000000007993000-memory.dmp

Filesize
652KB

Download
memory/3472-64-0x000000007EE60000-0x000000007EE70000-memory.dmp

Filesize
64KB

Download
memory/3472-49-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-59-0x0000000002E50000-0x0000000002E60000-memory.dmp

Filesize
64KB

Download
memory/3472-85-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-61-0x0000000002E50000-0x0000000002E60000-memory.dmp

Filesize
64KB

Download
memory/3472-63-0x00000000704A0000-0x00000000704EC000-memory.dmp

Filesize
304KB

Download
memory/3604-27-0x000000007F5E0000-0x000000007F5F0000-memory.dmp

Filesize
64KB

Download
memory/3604-10-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/3604-5-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/3604-4-0x0000000002BC0000-0x0000000002BF6000-memory.dmp

Filesize
216KB

Download
memory/3604-43-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/3604-42-0x0000000007870000-0x000000000787A000-memory.dmp

Filesize
40KB

Download
memory/3604-41-0x0000000007780000-0x0000000007823000-memory.dmp

Filesize
652KB

Download
memory/3604-40-0x0000000007760000-0x000000000777E000-memory.dmp

Filesize
120KB

Download
memory/3604-30-0x0000000070620000-0x0000000070974000-memory.dmp

Filesize
3.3MB

Download
memory/3604-29-0x00000000704A0000-0x00000000704EC000-memory.dmp

Filesize
304KB

Download
memory/3604-28-0x0000000007720000-0x0000000007752000-memory.dmp

Filesize
200KB

Download
memory/3604-26-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/3604-6-0x0000000002C50000-0x0000000002C60000-memory.dmp

Filesize
64KB

Download
memory/3604-7-0x0000000005310000-0x0000000005938000-memory.dmp

Filesize
6.2MB

Download
memory/3604-8-0x0000000005A40000-0x0000000005A62000-memory.dmp

Filesize
136KB

Download
memory/3604-25-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/3604-9-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/3604-20-0x0000000005CC0000-0x0000000006014000-memory.dmp

Filesize
3.3MB

Download
memory/3604-21-0x00000000061A0000-0x00000000061BE000-memory.dmp

Filesize
120KB

Download
memory/3604-22-0x00000000061E0000-0x000000000622C000-memory.dmp

Filesize
304KB

Download
memory/3604-23-0x00000000065A0000-0x00000000065E4000-memory.dmp

Filesize
272KB

Download
memory/3604-24-0x00000000074D0000-0x0000000007546000-memory.dmp

Filesize
472KB

Download
memory/3928-88-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/3928-87-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/3928-114-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/3928-112-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/3928-102-0x0000000070620000-0x0000000070974000-memory.dmp

Filesize
3.3MB

Download
memory/3928-100-0x00000000704A0000-0x00000000704EC000-memory.dmp

Filesize
304KB

Download
memory/3928-101-0x000000007EEC0000-0x000000007EED0000-memory.dmp

Filesize
64KB

Download
memory/4408-153-0x0000000003E00000-0x0000000004200000-memory.dmp

Filesize
4.0MB

Download
memory/5040-89-0x0000000003A20000-0x0000000003E20000-memory.dmp

Filesize
4.0MB

Download
memory/5040-48-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/5040-116-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/5040-115-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/5040-45-0x0000000003A20000-0x0000000003E20000-memory.dmp

Filesize
4.0MB

Download
memory/5040-149-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/5040-47-0x0000000003E20000-0x000000000470B000-memory.dmp

Filesize
8.9MB

Download