glupteba | a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f

Analysis

max time kernel
22s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Size

4.2MB
MD5

f050cdc7baaf85ee9a4487cb94b418ed
SHA1

186dba34c17efe0c2cd4814d14b24df5176d9989
SHA256

a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f
SHA512

fb8587c572d29b53f4369e0a3f7068a1660c53a24ce9ab07ac10f9b402dc6719716b76c5b26a9930778c6c80a17ec4883feb09e6d989e034e67889c57fa5b393
SSDEEP

98304:35+mIL5L7IQj8yJZZuDoiuzYljTftPavivh2zh/wed:J+zh739J3uDoioYlH4vmAzhzd

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 18 IoCs

resource	yara_rule
behavioral1/memory/2740-2-0x0000000005070000-0x000000000595B000-memory.dmp	family_glupteba
behavioral1/memory/2740-3-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral1/memory/2740-54-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral1/memory/2740-56-0x0000000005070000-0x000000000595B000-memory.dmp	family_glupteba
behavioral1/memory/5056-58-0x00000000050A0000-0x000000000598B000-memory.dmp	family_glupteba
behavioral1/memory/5056-59-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral1/memory/5056-108-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral1/memory/5056-158-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral1/memory/1932-220-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral1/memory/1932-261-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral1/memory/1932-270-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral1/memory/1932-272-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral1/memory/1932-274-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral1/memory/1932-276-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral1/memory/1932-278-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral1/memory/1932-280-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral1/memory/1932-282-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba
behavioral1/memory/1932-284-0x0000000000400000-0x0000000003009000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3332	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000233cc-265.dat	upx
behavioral1/memory/732-269-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/412-271-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/412-275-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3116	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
552	2740	WerFault.exe	82

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4816	schtasks.exe
2352	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1480	powershell.exe
1480	powershell.exe
2740	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
2740	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2740	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
Token: SeImpersonatePrivilege	2740	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 1480	2740	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe	87
PID 2740 wrote to memory of 1480	2740	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe	87
PID 2740 wrote to memory of 1480	2740	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe	87
PID 5056 wrote to memory of 1932	5056	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe	120
PID 5056 wrote to memory of 1932	5056	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe	120
PID 5056 wrote to memory of 1932	5056	a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe	120

C:\Users\Admin\AppData\Local\Temp\a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
"C:\Users\Admin\AppData\Local\Temp\a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Users\Admin\AppData\Local\Temp\a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe
  "C:\Users\Admin\AppData\Local\Temp\a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2276
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:3820
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:1932
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4976
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4816
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3976
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:2092
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2352
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:732
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:4232
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:3116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 892
  2⤵
  - Program crash
  PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2740 -ip 2740
1⤵
PID:4356

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_21zy3mtu.fev.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
a1121ff13d950be1e4a5057c489f4da4

SHA1
5cafd1c2bb5bb48ce9777ac2404a9fb0713a08a6

SHA256
1e427a6049419e6f7c6788bece3e6f9457fe764b87b3ac2f8c137a1aef0c76ea

SHA512
5187689fe9a82ff8bb100b4d1ddeea8a9c47502bb8a1fa61368ff94c980e711bddc1b237dd1cf68738d4cf141e29e85fe192935361846fcaa36c998ab2244f57

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f3dd907dea54c543af98df5cc2b42bc4

SHA1
9a24f01743fe78dc4ef2a3d07d48ba4f32079727

SHA256
dd622619fb2b77d2f03fbfbf161f2d5eed5a0c2a28f7cbe41cc44a944747a691

SHA512
a288bdcd14d5c696fe1ffd5f27fef50b1b60348e795a369e5a8e909e7b6ad1b31504cd2c7cc81a57be2c5df2ea50d3ee9e0baf3005aa25090a73438c5de46c4a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
a4cafb883246b29f1850d5a193c1548c

SHA1
2c394d290442d585ba90b535a5edf438cad8eb8c

SHA256
746a12702e0ee6ae5ab9fbc6175208c4dc7f627f637887025fdb91b293b9ef2a

SHA512
d726a15b27f120e28945c0eee7d6b00434b4a3d096be38bc6684d985a7997d275fc17fcfa3dd18f5b5753cada9a0584ae692fdb8120243d29e3fe908530962f6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7aa4e03c0dd2c941917720679ed60c20

SHA1
ac9e25d46f6e608ec2b85cf82d8e2065863bcb7f

SHA256
058d2a3cb95735f65deeace20a964b86e64f687873e6939bca7cc848887ba110

SHA512
1685cb496a5478af41e4b5f6b47eaf82df2b6cb6cdd0b38b4948433175a94f67e6a8d5743182a24408a73664d33808d6156a87dbe352c6831cd905e69e67f41e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2d6536644ffaa866ae0a2b8aadc5d8c9

SHA1
55ce6eea15a2f74861dd7f0d08cbd55eb1bc2192

SHA256
4100ba70097128c2a296aaef7b23a3d3f90c618e6101c211c81d139560567b00

SHA512
8c65a217a20e9342bc6d11345219bf40ca4d25c1049321c32ca2b3573657c7e28d7eac0cc7531a3e18e8c1d912d24014fd8221ad05a40afe508aa6001aff9bbc

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
f050cdc7baaf85ee9a4487cb94b418ed

SHA1
186dba34c17efe0c2cd4814d14b24df5176d9989

SHA256
a377788ef4c4725d8eda4c014dbab9a25854f73d83ce4b523c383edc6889287f

SHA512
fb8587c572d29b53f4369e0a3f7068a1660c53a24ce9ab07ac10f9b402dc6719716b76c5b26a9930778c6c80a17ec4883feb09e6d989e034e67889c57fa5b393

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/412-271-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/412-275-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/732-269-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1480-29-0x0000000007C90000-0x0000000007CC2000-memory.dmp

Filesize
200KB

Download
memory/1480-46-0x0000000007E00000-0x0000000007E11000-memory.dmp

Filesize
68KB

Download
memory/1480-24-0x0000000006C40000-0x0000000006C84000-memory.dmp

Filesize
272KB

Download
memory/1480-25-0x0000000007A30000-0x0000000007AA6000-memory.dmp

Filesize
472KB

Download
memory/1480-27-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/1480-26-0x0000000008130000-0x00000000087AA000-memory.dmp

Filesize
6.5MB

Download
memory/1480-30-0x00000000704F0000-0x000000007053C000-memory.dmp

Filesize
304KB

Download
memory/1480-22-0x0000000006700000-0x000000000671E000-memory.dmp

Filesize
120KB

Download
memory/1480-28-0x000000007F360000-0x000000007F370000-memory.dmp

Filesize
64KB

Download
memory/1480-31-0x00000000708C0000-0x0000000070C14000-memory.dmp

Filesize
3.3MB

Download
memory/1480-41-0x0000000007CD0000-0x0000000007CEE000-memory.dmp

Filesize
120KB

Download
memory/1480-42-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/1480-43-0x0000000007CF0000-0x0000000007D93000-memory.dmp

Filesize
652KB

Download
memory/1480-44-0x0000000007DE0000-0x0000000007DEA000-memory.dmp

Filesize
40KB

Download
memory/1480-45-0x0000000007EA0000-0x0000000007F36000-memory.dmp

Filesize
600KB

Download
memory/1480-23-0x00000000067C0000-0x000000000680C000-memory.dmp

Filesize
304KB

Download
memory/1480-47-0x0000000007E40000-0x0000000007E4E000-memory.dmp

Filesize
56KB

Download
memory/1480-48-0x0000000007E50000-0x0000000007E64000-memory.dmp

Filesize
80KB

Download
memory/1480-49-0x0000000007F40000-0x0000000007F5A000-memory.dmp

Filesize
104KB

Download
memory/1480-50-0x0000000007E90000-0x0000000007E98000-memory.dmp

Filesize
32KB

Download
memory/1480-53-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1480-21-0x0000000006110000-0x0000000006464000-memory.dmp

Filesize
3.3MB

Download
memory/1480-10-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/1480-11-0x0000000006060000-0x00000000060C6000-memory.dmp

Filesize
408KB

Download
memory/1480-9-0x0000000005840000-0x0000000005862000-memory.dmp

Filesize
136KB

Download
memory/1480-8-0x00000000059C0000-0x0000000005FE8000-memory.dmp

Filesize
6.2MB

Download
memory/1480-7-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/1480-6-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/1480-5-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1480-4-0x0000000003140000-0x0000000003176000-memory.dmp

Filesize
216KB

Download
memory/1932-74-0x000000007FC30000-0x000000007FC40000-memory.dmp

Filesize
64KB

Download
memory/1932-280-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/1932-75-0x00000000705F0000-0x000000007063C000-memory.dmp

Filesize
304KB

Download
memory/1932-76-0x0000000070D90000-0x00000000710E4000-memory.dmp

Filesize
3.3MB

Download
memory/1932-87-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/1932-86-0x0000000007510000-0x00000000075B3000-memory.dmp

Filesize
652KB

Download
memory/1932-88-0x0000000007A20000-0x0000000007A31000-memory.dmp

Filesize
68KB

Download
memory/1932-89-0x0000000007A70000-0x0000000007A84000-memory.dmp

Filesize
80KB

Download
memory/1932-92-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/1932-73-0x0000000006540000-0x000000000658C000-memory.dmp

Filesize
304KB

Download
memory/1932-286-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/1932-284-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/1932-220-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/1932-282-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/1932-62-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/1932-60-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/1932-278-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/1932-276-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/1932-61-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/1932-274-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/1932-272-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/1932-261-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/1932-270-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/1932-63-0x0000000005EC0000-0x0000000006214000-memory.dmp

Filesize
3.3MB

Download
memory/2740-54-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/2740-56-0x0000000005070000-0x000000000595B000-memory.dmp

Filesize
8.9MB

Download
memory/2740-3-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/2740-2-0x0000000005070000-0x000000000595B000-memory.dmp

Filesize
8.9MB

Download
memory/2740-1-0x00000000032C0000-0x00000000036C2000-memory.dmp

Filesize
4.0MB

Download
memory/3532-94-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/3532-121-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/3532-96-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/3532-95-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/3532-103-0x0000000005820000-0x0000000005B74000-memory.dmp

Filesize
3.3MB

Download
memory/3532-109-0x00000000705F0000-0x000000007063C000-memory.dmp

Filesize
304KB

Download
memory/3532-110-0x0000000070DB0000-0x0000000071104000-memory.dmp

Filesize
3.3MB

Download
memory/3532-120-0x000000007F690000-0x000000007F6A0000-memory.dmp

Filesize
64KB

Download
memory/3532-122-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/3532-124-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/3820-125-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/3820-137-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3820-127-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/5056-126-0x00000000033F0000-0x00000000037F1000-memory.dmp

Filesize
4.0MB

Download
memory/5056-108-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/5056-59-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download
memory/5056-57-0x00000000033F0000-0x00000000037F1000-memory.dmp

Filesize
4.0MB

Download
memory/5056-58-0x00000000050A0000-0x000000000598B000-memory.dmp

Filesize
8.9MB

Download
memory/5056-158-0x0000000000400000-0x0000000003009000-memory.dmp

Filesize
44.0MB

Download