glupteba | 1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6

Analysis

max time kernel
5s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Size

4.2MB
MD5

cc9c7b0470db1f1553bc306866ab0f40
SHA1

7dd1c23c7cc529bd5ffbf955e804d9da033458d5
SHA256

1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6
SHA512

caaeafffe16ffc610e0f5369815d2598e688fc803dee1d02a8c960fceb9497adb149f3cf39678eba752df9d0467abcf1267e4e0cc77723a6a8e21936bf282efd
SSDEEP

98304:uevzfZDFQyVnMG9h3iRv7wTG+HYT3M4TI:ZxJQUMGk0DHcI

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 17 IoCs

resource	yara_rule
behavioral1/memory/1516-2-0x0000000006460000-0x0000000006D4B000-memory.dmp	family_glupteba
behavioral1/memory/1516-90-0x0000000006460000-0x0000000006D4B000-memory.dmp	family_glupteba
behavioral1/memory/1516-167-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba
behavioral1/memory/640-229-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba
behavioral1/memory/4512-251-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba
behavioral1/memory/4512-262-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba
behavioral1/memory/4512-266-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba
behavioral1/memory/4512-269-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba
behavioral1/memory/4512-273-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba
behavioral1/memory/4512-277-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba
behavioral1/memory/4512-281-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba
behavioral1/memory/4512-285-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba
behavioral1/memory/4512-289-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba
behavioral1/memory/4512-293-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba
behavioral1/memory/4512-297-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba
behavioral1/memory/4512-302-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba
behavioral1/memory/4512-306-0x0000000000400000-0x0000000004418000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3680	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000023475-255.dat	upx
behavioral1/memory/964-260-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2148-264-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2148-272-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2288	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4548	schtasks.exe
4540	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3608	powershell.exe
3608	powershell.exe
1516	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
1516	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
4492	powershell.exe
4492	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	1516	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Token: SeImpersonatePrivilege	1516	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
Token: SeDebugPrivilege	4492	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 3608	1516	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe	88
PID 1516 wrote to memory of 3608	1516	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe	88
PID 1516 wrote to memory of 3608	1516	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe	88
PID 640 wrote to memory of 4492	640	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe	96
PID 640 wrote to memory of 4492	640	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe	96
PID 640 wrote to memory of 4492	640	1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe	96

C:\Users\Admin\AppData\Local\Temp\1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
"C:\Users\Admin\AppData\Local\Temp\1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Users\Admin\AppData\Local\Temp\1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe
  "C:\Users\Admin\AppData\Local\Temp\1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:4840
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:968
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:4512
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2988
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4548
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4388
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:764
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:344
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:1340
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4540
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:4416
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:2288

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klbch3wf.y3t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e0d7615e3bf63cfbfb4234b3b47ea441

SHA1
3db9d326bc08e9961a78f5f1e36c8bcf948882a9

SHA256
ce5105154c49d77213cc9b15361a63f5b2cc3267843ce66dfe59c245411c610a

SHA512
a2c1b20affdd0f41d60f1f167ceb34c743c5206391d0239e557f1503dadd6352885a73d971cf8d89443b6e8eaed093b32518bb312ad0f606480d70f48ec8358f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
3af6e9d021c011fce02cde23ec1433cb

SHA1
dc8cca169466d7e07679a49ac938fcbf040ce85e

SHA256
469eacab7975fcbe7c2b7af0bf7e0799390be311aacc6a9844dd6ee70b66003b

SHA512
fe346a99a12f0f53d52222f030fd64df63fc33f281c88e1265e346512b83bf4652a18fb1d5b67d1b231e7123553a6b8565c727164b7391ebd129899aeb255c0c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
062ca407dd9f43610f49a50d4e95f920

SHA1
aa8faca3e9a8e601a06fec6f5b1afba04085546f

SHA256
1375359d429dc97bffa40c52c904b94662cd5eba7958f24a6cc0610ac3852c18

SHA512
167e6b0fd51429d5c09323aa9014321455c7f3535f95d3d01967dac589f010694af63ba2b2563990389a85c18e930bd5802d81816c90d0749940c054fabd0648

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
9f5eee7c818984c8f9312e3a74580eac

SHA1
e613614ed3afff4939a19b1032fc54cf175af315

SHA256
52fa3e0b0aa383a93ccbef5da9306da6e910de0a794468a71c5fe56582455822

SHA512
7e7555488f5cd4c3b1332f60a635e80730679ca43599e7e1268f55e581f55f3c637729426c68d9317a23a78c99f9e11c2931ff3a66dab17ef05f44234d7a04ec

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
5f1884cc388c03b22dd49aeb339d3fff

SHA1
babf941acffd37375dca246834003d9e59863fcd

SHA256
005fbf7b3910216935982d815fcc914c39a4df7556702f288f3e5a1dc9fd1a8d

SHA512
c77af9261659a8e16451f24da68d1ed2f9a6e486078c4606167acd92f9896c35066340f32268cbb6fb23fe31580c12079ddf761e1e3658d8ee1437da78aa6cb4

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
cc9c7b0470db1f1553bc306866ab0f40

SHA1
7dd1c23c7cc529bd5ffbf955e804d9da033458d5

SHA256
1cc3966fcd7370594d631f2eb19b4696b14de1aa8aa1c4da6d3ac59a9f3c05a6

SHA512
caaeafffe16ffc610e0f5369815d2598e688fc803dee1d02a8c960fceb9497adb149f3cf39678eba752df9d0467abcf1267e4e0cc77723a6a8e21936bf282efd

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/640-229-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download
memory/640-54-0x0000000004830000-0x0000000004C33000-memory.dmp

Filesize
4.0MB

Download
memory/640-120-0x0000000004830000-0x0000000004C33000-memory.dmp

Filesize
4.0MB

Download
memory/964-260-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/968-121-0x0000000003060000-0x0000000003070000-memory.dmp

Filesize
64KB

Download
memory/968-119-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/968-145-0x0000000003060000-0x0000000003070000-memory.dmp

Filesize
64KB

Download
memory/968-135-0x0000000070DA0000-0x00000000710F4000-memory.dmp

Filesize
3.3MB

Download
memory/968-134-0x000000007F3E0000-0x000000007F3F0000-memory.dmp

Filesize
64KB

Download
memory/968-131-0x0000000003060000-0x0000000003070000-memory.dmp

Filesize
64KB

Download
memory/968-133-0x0000000070C20000-0x0000000070C6C000-memory.dmp

Filesize
304KB

Download
memory/1516-167-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download
memory/1516-1-0x00000000047C0000-0x0000000004BBC000-memory.dmp

Filesize
4.0MB

Download
memory/1516-2-0x0000000006460000-0x0000000006D4B000-memory.dmp

Filesize
8.9MB

Download
memory/1516-68-0x00000000047C0000-0x0000000004BBC000-memory.dmp

Filesize
4.0MB

Download
memory/1516-90-0x0000000006460000-0x0000000006D4B000-memory.dmp

Filesize
8.9MB

Download
memory/2148-264-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2148-272-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2356-105-0x000000007F9D0000-0x000000007F9E0000-memory.dmp

Filesize
64KB

Download
memory/2356-92-0x0000000006070000-0x00000000063C4000-memory.dmp

Filesize
3.3MB

Download
memory/2356-98-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2356-91-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/2356-103-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2356-106-0x0000000070C20000-0x0000000070C6C000-memory.dmp

Filesize
304KB

Download
memory/2356-107-0x00000000713A0000-0x00000000716F4000-memory.dmp

Filesize
3.3MB

Download
memory/2356-118-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/3608-30-0x0000000070DC0000-0x0000000071114000-memory.dmp

Filesize
3.3MB

Download
memory/3608-28-0x00000000076C0000-0x00000000076F2000-memory.dmp

Filesize
200KB

Download
memory/3608-4-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/3608-6-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/3608-7-0x0000000005200000-0x0000000005828000-memory.dmp

Filesize
6.2MB

Download
memory/3608-5-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/3608-3-0x0000000004B70000-0x0000000004BA6000-memory.dmp

Filesize
216KB

Download
memory/3608-9-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/3608-10-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/3608-8-0x0000000005150000-0x0000000005172000-memory.dmp

Filesize
136KB

Download
memory/3608-20-0x0000000005B00000-0x0000000005E54000-memory.dmp

Filesize
3.3MB

Download
memory/3608-22-0x0000000006180000-0x00000000061CC000-memory.dmp

Filesize
304KB

Download
memory/3608-21-0x0000000006130000-0x000000000614E000-memory.dmp

Filesize
120KB

Download
memory/3608-23-0x00000000072B0000-0x00000000072F4000-memory.dmp

Filesize
272KB

Download
memory/3608-52-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/3608-46-0x0000000007870000-0x000000000787E000-memory.dmp

Filesize
56KB

Download
memory/3608-48-0x0000000007970000-0x000000000798A000-memory.dmp

Filesize
104KB

Download
memory/3608-49-0x00000000078C0000-0x00000000078C8000-memory.dmp

Filesize
32KB

Download
memory/3608-47-0x0000000007880000-0x0000000007894000-memory.dmp

Filesize
80KB

Download
memory/3608-45-0x0000000007830000-0x0000000007841000-memory.dmp

Filesize
68KB

Download
memory/3608-44-0x00000000078D0000-0x0000000007966000-memory.dmp

Filesize
600KB

Download
memory/3608-27-0x000000007F7F0000-0x000000007F800000-memory.dmp

Filesize
64KB

Download
memory/3608-29-0x0000000070C20000-0x0000000070C6C000-memory.dmp

Filesize
304KB

Download
memory/3608-40-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/3608-43-0x0000000007810000-0x000000000781A000-memory.dmp

Filesize
40KB

Download
memory/3608-42-0x0000000007720000-0x00000000077C3000-memory.dmp

Filesize
652KB

Download
memory/3608-41-0x0000000007700000-0x000000000771E000-memory.dmp

Filesize
120KB

Download
memory/3608-24-0x0000000007470000-0x00000000074E6000-memory.dmp

Filesize
472KB

Download
memory/3608-25-0x0000000007B70000-0x00000000081EA000-memory.dmp

Filesize
6.5MB

Download
memory/3608-26-0x0000000007510000-0x000000000752A000-memory.dmp

Filesize
104KB

Download
memory/4492-84-0x0000000007C00000-0x0000000007C11000-memory.dmp

Filesize
68KB

Download
memory/4492-56-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/4492-57-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/4492-88-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/4492-85-0x0000000007C50000-0x0000000007C64000-memory.dmp

Filesize
80KB

Download
memory/4492-67-0x00000000061E0000-0x0000000006534000-memory.dmp

Filesize
3.3MB

Download
memory/4492-83-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/4492-70-0x000000007F360000-0x000000007F370000-memory.dmp

Filesize
64KB

Download
memory/4492-71-0x0000000070DA0000-0x00000000710F4000-memory.dmp

Filesize
3.3MB

Download
memory/4492-69-0x0000000070C20000-0x0000000070C6C000-memory.dmp

Filesize
304KB

Download
memory/4492-81-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/4492-82-0x00000000078D0000-0x0000000007973000-memory.dmp

Filesize
652KB

Download
memory/4492-55-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/4512-262-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download
memory/4512-266-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download
memory/4512-269-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download
memory/4512-251-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download
memory/4512-273-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download
memory/4512-277-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download
memory/4512-281-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download
memory/4512-285-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download
memory/4512-289-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download
memory/4512-293-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download
memory/4512-297-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download
memory/4512-302-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download
memory/4512-306-0x0000000000400000-0x0000000004418000-memory.dmp

Filesize
64.1MB

Download