glupteba | 7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2

Analysis

max time kernel
19s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Size

4.2MB
MD5

b4a52d9449b068688ad8f448e507f97c
SHA1

c04a6f34d0f13c9f899baaf4a68e3ad3bcdfd582
SHA256

7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2
SHA512

4718da82b1e5d7ba555007b86b95ce0c8ec08470dfeb9029fb90f31b8fbdc21ddff76cec1453a0604eb4a18df11be4accdfab2d0d4fef21069130a8aa6a03854
SSDEEP

98304:GoYeyy8kHe78wPlePBdIBkk7XHCPR9lUiyPcb7obt3hLJPXz:lYed8id2le5CV69lULPddz

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

resource	yara_rule
behavioral1/memory/3576-2-0x00000000064B0000-0x0000000006D9B000-memory.dmp	family_glupteba
behavioral1/memory/3576-3-0x0000000000400000-0x000000000441F000-memory.dmp	family_glupteba
behavioral1/memory/3576-76-0x0000000000400000-0x000000000441F000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1880	netsh.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
6116	powershell.exe
6116	powershell.exe
3576	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
3576	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
4920	powershell.exe
4920	powershell.exe
2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
3768	powershell.exe
3768	powershell.exe
1448	powershell.exe
1448	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	6116	powershell.exe
Token: SeDebugPrivilege	3576	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Token: SeImpersonatePrivilege	3576	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 6116	3576	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	86
PID 3576 wrote to memory of 6116	3576	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	86
PID 3576 wrote to memory of 6116	3576	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	86
PID 2176 wrote to memory of 4920	2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	91
PID 2176 wrote to memory of 4920	2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	91
PID 2176 wrote to memory of 4920	2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	91
PID 2176 wrote to memory of 5104	2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	93
PID 2176 wrote to memory of 5104	2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	93
PID 5104 wrote to memory of 1880	5104	cmd.exe	95
PID 5104 wrote to memory of 1880	5104	cmd.exe	95
PID 2176 wrote to memory of 3768	2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	96
PID 2176 wrote to memory of 3768	2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	96
PID 2176 wrote to memory of 3768	2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	96
PID 2176 wrote to memory of 1448	2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	98
PID 2176 wrote to memory of 1448	2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	98
PID 2176 wrote to memory of 1448	2176	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	98

C:\Users\Admin\AppData\Local\Temp\7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
"C:\Users\Admin\AppData\Local\Temp\7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6116
- C:\Users\Admin\AppData\Local\Temp\7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
  "C:\Users\Admin\AppData\Local\Temp\7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe"
  2⤵
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ncdm025.sl0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
4fa8213c44b806c4772a2ebc72d54d42

SHA1
87b8a4dce15e2281c5a0414e5cc18b66415a3a04

SHA256
be4a5826ce56ac8e77abe66c30d74f3e595727c0d54313fbcfd231b647e7bad3

SHA512
0dfe6ce57652682e2a19aa77617cda287169fcbae61e3c7c12b977760318df4c1bc11feb21feec52b56ecdc2e29fcf9da8986d861899c1fc9c7b14490c1de93c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
1bc01d40f60a157589bff96c8358a580

SHA1
c119dd8d7a0a124d4b67ed7b134d1e2d9e83b3dd

SHA256
b137906af009abdf04b9b09c1b4470cdff828dffc22c161dcc6eaf44ab551e84

SHA512
ec1d808ed5696f2ec42e3b8309349f3f9f78319d25870ffdc5a64d0ba5ec48542d19dc34854cccaefe391b7609d3883fd2fb9d079651df10ee869bbfc2a36220

Download Submit
memory/1448-116-0x0000000071590000-0x00000000718E4000-memory.dmp

Filesize
3.3MB

Download
memory/1448-115-0x0000000070E10000-0x0000000070E5C000-memory.dmp

Filesize
304KB

Download
memory/1448-104-0x0000000006120000-0x0000000006474000-memory.dmp

Filesize
3.3MB

Download
memory/3576-2-0x00000000064B0000-0x0000000006D9B000-memory.dmp

Filesize
8.9MB

Download
memory/3576-3-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/3576-76-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/3576-1-0x0000000004700000-0x0000000004B05000-memory.dmp

Filesize
4.0MB

Download
memory/3768-90-0x0000000005B40000-0x0000000005E94000-memory.dmp

Filesize
3.3MB

Download
memory/3768-92-0x0000000070E10000-0x0000000070E5C000-memory.dmp

Filesize
304KB

Download
memory/3768-93-0x0000000070F90000-0x00000000712E4000-memory.dmp

Filesize
3.3MB

Download
memory/4920-53-0x0000000005F50000-0x00000000062A4000-memory.dmp

Filesize
3.3MB

Download
memory/4920-77-0x0000000007B60000-0x0000000007B74000-memory.dmp

Filesize
80KB

Download
memory/4920-75-0x0000000007B10000-0x0000000007B21000-memory.dmp

Filesize
68KB

Download
memory/4920-74-0x00000000077E0000-0x0000000007883000-memory.dmp

Filesize
652KB

Download
memory/4920-63-0x0000000070E10000-0x0000000070E5C000-memory.dmp

Filesize
304KB

Download
memory/4920-64-0x00000000715B0000-0x0000000071904000-memory.dmp

Filesize
3.3MB

Download
memory/6116-21-0x0000000005AA0000-0x0000000005DF4000-memory.dmp

Filesize
3.3MB

Download
memory/6116-28-0x0000000007680000-0x00000000076B2000-memory.dmp

Filesize
200KB

Download
memory/6116-40-0x00000000076C0000-0x00000000076DE000-memory.dmp

Filesize
120KB

Download
memory/6116-41-0x00000000076E0000-0x0000000007783000-memory.dmp

Filesize
652KB

Download
memory/6116-42-0x00000000077D0000-0x00000000077DA000-memory.dmp

Filesize
40KB

Download
memory/6116-43-0x00000000078F0000-0x0000000007986000-memory.dmp

Filesize
600KB

Download
memory/6116-44-0x00000000077F0000-0x0000000007801000-memory.dmp

Filesize
68KB

Download
memory/6116-45-0x0000000007830000-0x000000000783E000-memory.dmp

Filesize
56KB

Download
memory/6116-46-0x0000000007850000-0x0000000007864000-memory.dmp

Filesize
80KB

Download
memory/6116-47-0x0000000007890000-0x00000000078AA000-memory.dmp

Filesize
104KB

Download
memory/6116-48-0x0000000007880000-0x0000000007888000-memory.dmp

Filesize
32KB

Download
memory/6116-51-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/6116-29-0x0000000070E10000-0x0000000070E5C000-memory.dmp

Filesize
304KB

Download
memory/6116-30-0x0000000071570000-0x00000000718C4000-memory.dmp

Filesize
3.3MB

Download
memory/6116-27-0x00000000074E0000-0x00000000074FA000-memory.dmp

Filesize
104KB

Download
memory/6116-26-0x0000000007B40000-0x00000000081BA000-memory.dmp

Filesize
6.5MB

Download
memory/6116-25-0x0000000007440000-0x00000000074B6000-memory.dmp

Filesize
472KB

Download
memory/6116-24-0x0000000007080000-0x00000000070C4000-memory.dmp

Filesize
272KB

Download
memory/6116-23-0x0000000006140000-0x000000000618C000-memory.dmp

Filesize
304KB

Download
memory/6116-22-0x0000000006120000-0x000000000613E000-memory.dmp

Filesize
120KB

Download
memory/6116-11-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/6116-10-0x0000000005980000-0x00000000059E6000-memory.dmp

Filesize
408KB

Download
memory/6116-9-0x0000000005170000-0x0000000005192000-memory.dmp

Filesize
136KB

Download
memory/6116-8-0x0000000005250000-0x0000000005878000-memory.dmp

Filesize
6.2MB

Download
memory/6116-7-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/6116-6-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/6116-5-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/6116-4-0x0000000004B80000-0x0000000004BB6000-memory.dmp

Filesize
216KB

Download