glupteba | 31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188

Analysis

max time kernel
55s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Size

4.2MB
MD5

cc717fe365bb3a5b4fe4c68e9e61fb5a
SHA1

1ee335bc2c1d3be1e3352037be3cbbdcd7a47fbe
SHA256

31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188
SHA512

d47a956a9ec7f2f46d5e89755729bf5f2419d0823d574683839daf3f8bd0921c1f4cdabb216c177da1ea62fec9895d793614781be0cb4d143896690fe720e5e9
SSDEEP

98304:xlPNnLMcliXgk6mZUGEiVLqbbhuqLV4AlEjP7K:xlP9LMc0wkDbEiV0LVI2

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 11 IoCs

resource	yara_rule
behavioral1/memory/2220-2-0x0000000005290000-0x0000000005B7B000-memory.dmp	family_glupteba
behavioral1/memory/2220-3-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/2220-21-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/2220-51-0x0000000005290000-0x0000000005B7B000-memory.dmp	family_glupteba
behavioral1/memory/2220-56-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/2656-59-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/2656-91-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/2656-132-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/2656-153-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/264-225-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/264-260-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4788	netsh.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000000073d-263.dat	upx
behavioral1/memory/4464-268-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1776-270-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4648	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2832	schtasks.exe
1868	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1284	powershell.exe
1284	powershell.exe
2220	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
2220	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2220	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
Token: SeImpersonatePrivilege	2220	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1284	2220	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe	91
PID 2220 wrote to memory of 1284	2220	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe	91
PID 2220 wrote to memory of 1284	2220	31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe	91

C:\Users\Admin\AppData\Local\Temp\31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
"C:\Users\Admin\AppData\Local\Temp\31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Users\Admin\AppData\Local\Temp\31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe
  "C:\Users\Admin\AppData\Local\Temp\31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188.exe"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2656
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:1720
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4788
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1444
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1696
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2832
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:860
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1868
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:4464
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:2724
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:456

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ryg54p0.cxl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
959427778cb8a10dd5826a19cac6cb72

SHA1
40bde2eab28a1d3bcc2717ce0cc97624a65f3673

SHA256
24d10194072215642756f1e0349386e28d70f4e09e6c84af76e5336b0e1eb26f

SHA512
5a13e13b67aec1e99c28076f975c0b5c1e5358d379913a48bac6b1c3018654dd069ba1bd6fe9a2afc9db2bde63bfeb20ec6d22ce5e860d772321a81c17ce8565

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
90eae893add18357321c4fd92fa87365

SHA1
3e357ef90f360f6b588aeb7318e3192af09134e0

SHA256
ee675100add60be6cb97a1661cea5b1a5ddc9c24b1ef12ab796e4496db654f7d

SHA512
e5031e0903ba09490725b9f99b440ea16def5d771910cd5b1149e80f0424889bee96dfff0149b2273704928477c391f368818b05a9b9749aa6bb5b311b400663

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e8528f5076298732735e8434d96bf3d5

SHA1
7328564df16d2c264adbd4956e32732b990a8015

SHA256
38ded1549daa3efde37d03a117f9665eaa39be35b0480fa40f7b5a42531a2937

SHA512
4fcea65abaad0b2e95ac8bb11cbb67be8c0da329d892a79724c454ec284f2cdcb9e8eb63cb69b0ae6db411f21e1805d5e9af87b26eca10f2d4fc3e265448b26d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
ed216c757cd5ebab901f5d23e53399a7

SHA1
324a9671a39178ce863e70a8cdfc108ac46ccabd

SHA256
d59d65c0c70d4e4c09914ea8792460e77a92b5a9c4366d845dc8a3ad557bd808

SHA512
d1687ae60aff809f41616a2dabb8c4cd7b060f65532dd0259e46bb97cdf8af21b8b9b47dfc205d511f0a7d325ae572587021522c87a893708fc0a846ff67afab

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
02deda4c094e565f07ecca0c6b93544e

SHA1
53e7c72351be446c9045b10ab8ab7c33cd439e6b

SHA256
e0a38db16c3de85d3a568bcca2abc0c4d4ce3667c6642e682dac19fdf4441cbf

SHA512
d444ec876ff9476fde6f9efbb922466c45aba34a86db7b1ef5ac1aadf3fdf3df21fa1d80563405e8fee7cc14a0861eb043dba17b69342692910ebf748ce87973

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
cc717fe365bb3a5b4fe4c68e9e61fb5a

SHA1
1ee335bc2c1d3be1e3352037be3cbbdcd7a47fbe

SHA256
31b85a2487c54ef09ebe2da98c60f69d1fa8c3495c8faf1f1da75e0b48cbe188

SHA512
d47a956a9ec7f2f46d5e89755729bf5f2419d0823d574683839daf3f8bd0921c1f4cdabb216c177da1ea62fec9895d793614781be0cb4d143896690fe720e5e9

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/264-225-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/264-269-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/264-260-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/264-271-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/1284-29-0x00000000078A0000-0x00000000078D2000-memory.dmp

Filesize
200KB

Download
memory/1284-47-0x0000000007A30000-0x0000000007A3E000-memory.dmp

Filesize
56KB

Download
memory/1284-25-0x0000000002C70000-0x0000000002C80000-memory.dmp

Filesize
64KB

Download
memory/1284-26-0x00000000075A0000-0x0000000007616000-memory.dmp

Filesize
472KB

Download
memory/1284-27-0x0000000007D10000-0x000000000838A000-memory.dmp

Filesize
6.5MB

Download
memory/1284-28-0x00000000076C0000-0x00000000076DA000-memory.dmp

Filesize
104KB

Download
memory/1284-23-0x00000000063E0000-0x000000000642C000-memory.dmp

Filesize
304KB

Download
memory/1284-32-0x0000000070860000-0x0000000070BB4000-memory.dmp

Filesize
3.3MB

Download
memory/1284-31-0x0000000070290000-0x00000000702DC000-memory.dmp

Filesize
304KB

Download
memory/1284-30-0x000000007F0F0000-0x000000007F100000-memory.dmp

Filesize
64KB

Download
memory/1284-42-0x0000000007880000-0x000000000789E000-memory.dmp

Filesize
120KB

Download
memory/1284-43-0x00000000078E0000-0x0000000007983000-memory.dmp

Filesize
652KB

Download
memory/1284-44-0x00000000079D0000-0x00000000079DA000-memory.dmp

Filesize
40KB

Download
memory/1284-45-0x0000000007A90000-0x0000000007B26000-memory.dmp

Filesize
600KB

Download
memory/1284-46-0x00000000079F0000-0x0000000007A01000-memory.dmp

Filesize
68KB

Download
memory/1284-24-0x0000000006690000-0x00000000066D4000-memory.dmp

Filesize
272KB

Download
memory/1284-48-0x0000000007A40000-0x0000000007A54000-memory.dmp

Filesize
80KB

Download
memory/1284-50-0x0000000007B30000-0x0000000007B4A000-memory.dmp

Filesize
104KB

Download
memory/1284-22-0x0000000004FC0000-0x0000000004FDE000-memory.dmp

Filesize
120KB

Download
memory/1284-16-0x0000000005C00000-0x0000000005F54000-memory.dmp

Filesize
3.3MB

Download
memory/1284-52-0x0000000007A70000-0x0000000007A78000-memory.dmp

Filesize
32KB

Download
memory/1284-55-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1284-10-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/1284-9-0x0000000005330000-0x0000000005396000-memory.dmp

Filesize
408KB

Download
memory/1284-8-0x0000000005280000-0x00000000052A2000-memory.dmp

Filesize
136KB

Download
memory/1284-7-0x00000000053A0000-0x00000000059C8000-memory.dmp

Filesize
6.2MB

Download
memory/1284-6-0x0000000002C80000-0x0000000002CB6000-memory.dmp

Filesize
216KB

Download
memory/1284-5-0x0000000002C70000-0x0000000002C80000-memory.dmp

Filesize
64KB

Download
memory/1284-4-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1444-133-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1444-134-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/1444-130-0x0000000006360000-0x00000000066B4000-memory.dmp

Filesize
3.3MB

Download
memory/1444-135-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/1444-149-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1444-136-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/1444-137-0x0000000070390000-0x00000000703DC000-memory.dmp

Filesize
304KB

Download
memory/1444-138-0x0000000070540000-0x0000000070894000-memory.dmp

Filesize
3.3MB

Download
memory/1776-270-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1832-73-0x0000000070390000-0x00000000703DC000-memory.dmp

Filesize
304KB

Download
memory/1832-89-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1832-74-0x0000000070B50000-0x0000000070EA4000-memory.dmp

Filesize
3.3MB

Download
memory/1832-72-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/1832-86-0x0000000007440000-0x0000000007454000-memory.dmp

Filesize
80KB

Download
memory/1832-85-0x00000000073F0000-0x0000000007401000-memory.dmp

Filesize
68KB

Download
memory/1832-71-0x0000000005F50000-0x0000000005F9C000-memory.dmp

Filesize
304KB

Download
memory/1832-60-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1832-70-0x0000000005890000-0x0000000005BE4000-memory.dmp

Filesize
3.3MB

Download
memory/1832-84-0x00000000070F0000-0x0000000007193000-memory.dmp

Filesize
652KB

Download
memory/2220-2-0x0000000005290000-0x0000000005B7B000-memory.dmp

Filesize
8.9MB

Download
memory/2220-56-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/2220-1-0x00000000036E0000-0x0000000003AE4000-memory.dmp

Filesize
4.0MB

Download
memory/2220-51-0x0000000005290000-0x0000000005B7B000-memory.dmp

Filesize
8.9MB

Download
memory/2220-49-0x00000000036E0000-0x0000000003AE4000-memory.dmp

Filesize
4.0MB

Download
memory/2220-21-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/2220-3-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/2656-104-0x0000000003530000-0x0000000003936000-memory.dmp

Filesize
4.0MB

Download
memory/2656-58-0x0000000003530000-0x0000000003936000-memory.dmp

Filesize
4.0MB

Download
memory/2656-91-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/2656-153-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/2656-132-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/2656-59-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/2680-109-0x0000000070B50000-0x0000000070EA4000-memory.dmp

Filesize
3.3MB

Download
memory/2680-108-0x000000007FAD0000-0x000000007FAE0000-memory.dmp

Filesize
64KB

Download
memory/2680-107-0x0000000070390000-0x00000000703DC000-memory.dmp

Filesize
304KB

Download
memory/2680-106-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/2680-93-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/2680-92-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2680-94-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/2680-120-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4464-268-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download