glupteba | 69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055

Analysis

max time kernel
23s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 19:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Size

4.2MB
MD5

46889b774747a7be47d4f7f6a605e0d5
SHA1

1eb99901c7009196d502779fa639d8b397c7c3b0
SHA256

69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055
SHA512

abb91f153b0d51cc5dc6f8245c88186eaf40f045d4e7428055907bcc3f1f6778ababd638145d1a499e0b9ba32804da6f503e458e5e12007ab3eb172648189fc5
SSDEEP

98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuS:7pjD+c6O+8yZp

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 16 IoCs

resource	yara_rule
behavioral1/memory/2620-2-0x0000000006540000-0x0000000006E2B000-memory.dmp	family_glupteba
behavioral1/memory/2620-24-0x0000000000400000-0x0000000004426000-memory.dmp	family_glupteba
behavioral1/memory/2620-55-0x0000000006540000-0x0000000006E2B000-memory.dmp	family_glupteba
behavioral1/memory/2620-57-0x0000000000400000-0x0000000004426000-memory.dmp	family_glupteba
behavioral1/memory/3468-92-0x0000000000400000-0x0000000004426000-memory.dmp	family_glupteba
behavioral1/memory/3468-108-0x0000000004980000-0x0000000004D80000-memory.dmp	family_glupteba
behavioral1/memory/3468-153-0x0000000000400000-0x0000000004426000-memory.dmp	family_glupteba
behavioral1/memory/3132-217-0x0000000000400000-0x0000000004426000-memory.dmp	family_glupteba
behavioral1/memory/3132-253-0x0000000000400000-0x0000000004426000-memory.dmp	family_glupteba
behavioral1/memory/3132-255-0x0000000000400000-0x0000000004426000-memory.dmp	family_glupteba
behavioral1/memory/3132-263-0x0000000000400000-0x0000000004426000-memory.dmp	family_glupteba
behavioral1/memory/3132-267-0x0000000000400000-0x0000000004426000-memory.dmp	family_glupteba
behavioral1/memory/3132-270-0x0000000000400000-0x0000000004426000-memory.dmp	family_glupteba
behavioral1/memory/3132-273-0x0000000000400000-0x0000000004426000-memory.dmp	family_glupteba
behavioral1/memory/3132-276-0x0000000000400000-0x0000000004426000-memory.dmp	family_glupteba
behavioral1/memory/3132-279-0x0000000000400000-0x0000000004426000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4296	netsh.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00030000000219e9-258.dat	upx
behavioral1/memory/5032-264-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2192-274-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3476	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2184	schtasks.exe
5392	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1100	powershell.exe
1100	powershell.exe
2620	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
2620	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2620	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
Token: SeImpersonatePrivilege	2620	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 1100	2620	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe	92
PID 2620 wrote to memory of 1100	2620	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe	92
PID 2620 wrote to memory of 1100	2620	69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe	92

C:\Users\Admin\AppData\Local\Temp\69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
"C:\Users\Admin\AppData\Local\Temp\69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe
  "C:\Users\Admin\AppData\Local\Temp\69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055.exe"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3468
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1016
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:1144
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:5192
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:3132
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4304
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:5392
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:5760
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5396
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:220
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2184
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:5032
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:5220
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:5492

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5x5wlccd.eoo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e2ddd6e2b147c852748801a4501611fa

SHA1
365572f0ee5430ba8cfd7b36a9739c2f21d0c78a

SHA256
203023edcf782b652d8ee0fafe3cc77b369e675a196fbf860d543e037646763f

SHA512
216c9694e658b8680369fab1926d6cf196af7d93a7bcb841d2ee71186aa51651cb74606b43c8fdd17c15227b65e1d4551fd5e04e72aa48957c98782693ef5705

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
02a1a7e10ade0c8f63a433e93e760b7c

SHA1
b396c98bd8f2c53b6b6b543efd5d259fc55084b0

SHA256
cb521c4de00da96d6157c33d02cde8a552444dc791e43dae8b4b5b907bfd74b0

SHA512
08d3f28f0da42e7cfdeaa7c5bc0dbac80b8d430efe941e3da0738bcd913ec29b2c7bec2a8b90df7d90d86c512d3e2f7d766783f5ee81b0056960537c16e9d43e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
9cce104d8bb5402c5f4b02c77f706e0c

SHA1
9241a526cd473d9b4b6e89b4f3ade427b07a1f52

SHA256
c0918308cc3f6050ff4210b2d9cfc1fbe7ecf6edac0f01964c84de2c067f88b5

SHA512
f02a736798820451def452d7de0238c8a044a711716c783296a88b4b657827b231a421a702d44169e40fe6397949f34e2691a265ed25d96b3ebef9e3edf91188

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b1da406e2a24d54e3ef04a66373e263c

SHA1
7c51de598d43ae534d541c32e43f00339e539b32

SHA256
39cd55e6ef7f9881baacb9126396c2ffd74511975d0c473e3b5aaa37eadff299

SHA512
6a6b51f38d234d57960707987114e74577aba9f1f7b7e831dbb72bc51cff28e414d84450bd11f840fbc9b23d5ac9f2a078fc23d3f9a2329c2404dec051f7a70a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
3d93d03209808828336d5ccc2b517287

SHA1
b54ac3f0b5ada914238d6b77c8c6778abe8e8f2d

SHA256
ac391bda79d289765780c1b0fcf94dba1879fbeba3a16b6f1c5627941d453832

SHA512
0ce718ac4a49749dfda747b2aa1a2a3e610d3fd13e340361019c2e8c20c7c589f591245d6990f5b92eaf7b140829dbe6e6eaf015ab419659388ac7f969ab8a80

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
46889b774747a7be47d4f7f6a605e0d5

SHA1
1eb99901c7009196d502779fa639d8b397c7c3b0

SHA256
69c53cedf52ef9a7a9ee596d4dc458e8ce1c599b52dc4b01798aacb680344055

SHA512
abb91f153b0d51cc5dc6f8245c88186eaf40f045d4e7428055907bcc3f1f6778ababd638145d1a499e0b9ba32804da6f503e458e5e12007ab3eb172648189fc5

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1016-85-0x0000000007230000-0x00000000072D3000-memory.dmp

Filesize
652KB

Download
memory/1016-90-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1016-87-0x00000000075A0000-0x00000000075B4000-memory.dmp

Filesize
80KB

Download
memory/1016-86-0x0000000007530000-0x0000000007541000-memory.dmp

Filesize
68KB

Download
memory/1016-60-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/1016-75-0x0000000070E80000-0x00000000711D4000-memory.dmp

Filesize
3.3MB

Download
memory/1016-74-0x0000000070700000-0x000000007074C000-memory.dmp

Filesize
304KB

Download
memory/1016-73-0x000000007FA50000-0x000000007FA60000-memory.dmp

Filesize
64KB

Download
memory/1016-72-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/1016-67-0x0000000005A10000-0x0000000005D64000-memory.dmp

Filesize
3.3MB

Download
memory/1016-61-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/1016-59-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1100-31-0x0000000070700000-0x000000007074C000-memory.dmp

Filesize
304KB

Download
memory/1100-32-0x0000000070AF0000-0x0000000070E44000-memory.dmp

Filesize
3.3MB

Download
memory/1100-42-0x00000000071E0000-0x00000000071FE000-memory.dmp

Filesize
120KB

Download
memory/1100-43-0x0000000007240000-0x00000000072E3000-memory.dmp

Filesize
652KB

Download
memory/1100-44-0x0000000007330000-0x000000000733A000-memory.dmp

Filesize
40KB

Download
memory/1100-45-0x0000000007440000-0x00000000074D6000-memory.dmp

Filesize
600KB

Download
memory/1100-46-0x0000000007340000-0x0000000007351000-memory.dmp

Filesize
68KB

Download
memory/1100-3-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1100-48-0x00000000073B0000-0x00000000073BE000-memory.dmp

Filesize
56KB

Download
memory/1100-49-0x00000000073C0000-0x00000000073D4000-memory.dmp

Filesize
80KB

Download
memory/1100-50-0x0000000007400000-0x000000000741A000-memory.dmp

Filesize
104KB

Download
memory/1100-51-0x00000000073F0000-0x00000000073F8000-memory.dmp

Filesize
32KB

Download
memory/1100-54-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1100-4-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1100-5-0x0000000002670000-0x00000000026A6000-memory.dmp

Filesize
216KB

Download
memory/1100-6-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1100-7-0x0000000004E10000-0x0000000005438000-memory.dmp

Filesize
6.2MB

Download
memory/1100-30-0x0000000007200000-0x0000000007232000-memory.dmp

Filesize
200KB

Download
memory/1100-29-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/1100-28-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

Filesize
104KB

Download
memory/1100-27-0x0000000007700000-0x0000000007D7A000-memory.dmp

Filesize
6.5MB

Download
memory/1100-25-0x0000000006E00000-0x0000000006E76000-memory.dmp

Filesize
472KB

Download
memory/1100-26-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/1100-8-0x0000000004C80000-0x0000000004CA2000-memory.dmp

Filesize
136KB

Download
memory/1100-23-0x00000000061F0000-0x0000000006234000-memory.dmp

Filesize
272KB

Download
memory/1100-22-0x0000000005F60000-0x0000000005FAC000-memory.dmp

Filesize
304KB

Download
memory/1100-21-0x0000000005C90000-0x0000000005CAE000-memory.dmp

Filesize
120KB

Download
memory/1100-16-0x0000000005630000-0x0000000005984000-memory.dmp

Filesize
3.3MB

Download
memory/1100-10-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/1100-9-0x0000000004D20000-0x0000000004D86000-memory.dmp

Filesize
408KB

Download
memory/1540-106-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/1540-104-0x0000000005AF0000-0x0000000005E44000-memory.dmp

Filesize
3.3MB

Download
memory/1540-103-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1540-105-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/1540-122-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1540-109-0x0000000070700000-0x000000007074C000-memory.dmp

Filesize
304KB

Download
memory/1540-111-0x0000000070880000-0x0000000070BD4000-memory.dmp

Filesize
3.3MB

Download
memory/1540-110-0x000000007F630000-0x000000007F640000-memory.dmp

Filesize
64KB

Download
memory/2192-274-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2620-2-0x0000000006540000-0x0000000006E2B000-memory.dmp

Filesize
8.9MB

Download
memory/2620-47-0x00000000049A0000-0x0000000004D9B000-memory.dmp

Filesize
4.0MB

Download
memory/2620-55-0x0000000006540000-0x0000000006E2B000-memory.dmp

Filesize
8.9MB

Download
memory/2620-57-0x0000000000400000-0x0000000004426000-memory.dmp

Filesize
64.1MB

Download
memory/2620-24-0x0000000000400000-0x0000000004426000-memory.dmp

Filesize
64.1MB

Download
memory/2620-1-0x00000000049A0000-0x0000000004D9B000-memory.dmp

Filesize
4.0MB

Download
memory/3132-263-0x0000000000400000-0x0000000004426000-memory.dmp

Filesize
64.1MB

Download
memory/3132-279-0x0000000000400000-0x0000000004426000-memory.dmp

Filesize
64.1MB

Download
memory/3132-267-0x0000000000400000-0x0000000004426000-memory.dmp

Filesize
64.1MB

Download
memory/3132-270-0x0000000000400000-0x0000000004426000-memory.dmp

Filesize
64.1MB

Download
memory/3132-253-0x0000000000400000-0x0000000004426000-memory.dmp

Filesize
64.1MB

Download
memory/3132-157-0x0000000004E00000-0x0000000005200000-memory.dmp

Filesize
4.0MB

Download
memory/3132-255-0x0000000000400000-0x0000000004426000-memory.dmp

Filesize
64.1MB

Download
memory/3132-273-0x0000000000400000-0x0000000004426000-memory.dmp

Filesize
64.1MB

Download
memory/3132-217-0x0000000000400000-0x0000000004426000-memory.dmp

Filesize
64.1MB

Download
memory/3132-276-0x0000000000400000-0x0000000004426000-memory.dmp

Filesize
64.1MB

Download
memory/3132-282-0x0000000000400000-0x0000000004426000-memory.dmp

Filesize
64.1MB

Download
memory/3468-153-0x0000000000400000-0x0000000004426000-memory.dmp

Filesize
64.1MB

Download
memory/3468-58-0x0000000004980000-0x0000000004D80000-memory.dmp

Filesize
4.0MB

Download
memory/3468-108-0x0000000004980000-0x0000000004D80000-memory.dmp

Filesize
4.0MB

Download
memory/3468-92-0x0000000000400000-0x0000000004426000-memory.dmp

Filesize
64.1MB

Download
memory/5032-264-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/5192-149-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/5192-137-0x0000000070700000-0x000000007074C000-memory.dmp

Filesize
304KB

Download
memory/5192-138-0x0000000070880000-0x0000000070BD4000-memory.dmp

Filesize
3.3MB

Download
memory/5192-136-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/5192-125-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/5192-123-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/5192-124-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download