glupteba | 7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2

Analysis

max time kernel
5s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
26/04/2024, 12:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Size

4.2MB
MD5

b4a52d9449b068688ad8f448e507f97c
SHA1

c04a6f34d0f13c9f899baaf4a68e3ad3bcdfd582
SHA256

7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2
SHA512

4718da82b1e5d7ba555007b86b95ce0c8ec08470dfeb9029fb90f31b8fbdc21ddff76cec1453a0604eb4a18df11be4accdfab2d0d4fef21069130a8aa6a03854
SSDEEP

98304:GoYeyy8kHe78wPlePBdIBkk7XHCPR9lUiyPcb7obt3hLJPXz:lYed8id2le5CV69lULPddz

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 14 IoCs

resource	yara_rule
behavioral2/memory/2652-2-0x0000000006690000-0x0000000006F7B000-memory.dmp	family_glupteba
behavioral2/memory/2652-3-0x0000000000400000-0x000000000441F000-memory.dmp	family_glupteba
behavioral2/memory/2652-195-0x0000000006690000-0x0000000006F7B000-memory.dmp	family_glupteba
behavioral2/memory/4408-211-0x0000000000400000-0x000000000441F000-memory.dmp	family_glupteba
behavioral2/memory/4408-213-0x0000000000400000-0x000000000441F000-memory.dmp	family_glupteba
behavioral2/memory/4408-217-0x0000000000400000-0x000000000441F000-memory.dmp	family_glupteba
behavioral2/memory/4408-220-0x0000000000400000-0x000000000441F000-memory.dmp	family_glupteba
behavioral2/memory/4408-223-0x0000000000400000-0x000000000441F000-memory.dmp	family_glupteba
behavioral2/memory/4408-226-0x0000000000400000-0x000000000441F000-memory.dmp	family_glupteba
behavioral2/memory/4408-229-0x0000000000400000-0x000000000441F000-memory.dmp	family_glupteba
behavioral2/memory/4408-232-0x0000000000400000-0x000000000441F000-memory.dmp	family_glupteba
behavioral2/memory/4408-235-0x0000000000400000-0x000000000441F000-memory.dmp	family_glupteba
behavioral2/memory/4408-238-0x0000000000400000-0x000000000441F000-memory.dmp	family_glupteba
behavioral2/memory/4408-240-0x0000000000400000-0x000000000441F000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1988	netsh.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1000-202-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x000200000002aa0d-201.dat	upx
behavioral2/files/0x000200000002aa0d-203.dat	upx
behavioral2/memory/1240-205-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1000-206-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1240-209-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1240-215-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
432	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4704	schtasks.exe
1392	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4160	powershell.exe
4160	powershell.exe
2652	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
2652	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
4904	powershell.exe
4904	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	2652	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Token: SeImpersonatePrivilege	2652	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
Token: SeDebugPrivilege	4904	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4160	2652	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	105
PID 2652 wrote to memory of 4160	2652	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	105
PID 2652 wrote to memory of 4160	2652	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	105
PID 1260 wrote to memory of 4904	1260	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	86
PID 1260 wrote to memory of 4904	1260	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	86
PID 1260 wrote to memory of 4904	1260	7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe	86

C:\Users\Admin\AppData\Local\Temp\7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
"C:\Users\Admin\AppData\Local\Temp\7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Users\Admin\AppData\Local\Temp\7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe
  "C:\Users\Admin\AppData\Local\Temp\7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:4816
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:4652
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:4408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:848
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4704
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4296
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3692
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:4224
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1392
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:1000
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:4340
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:432

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dulbx00w.5ky.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
be5820c3fbdb4a408d8e8ad26f07150b

SHA1
03e06da1d3759c7b72e1967bf1859f168f26a394

SHA256
34f842af36e0a62f70c688fb84c11a749aa7877404075d6e4d11c8d38c04af16

SHA512
023ae691a6c737266a9cc4ce31b3168a436fa8753e9d27b7600d6fecd4ed7f6e7775f0316f551659813576db54cea60b3080c928275915bfbd1d2fef6f91d36a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
0d4f3017e978389ecfad8e06bf3de43b

SHA1
4448b83f933c572c737001367a20b2d01c4a9609

SHA256
22e9eb0a87a86ef4bb46f82918cb616a656289c94abc9735c552a1dffebfcc4a

SHA512
5c746a211f3c8eae35e04108b49b72b8c63da788d5a92bbf478bb19cc1af521d6a4ee14c82d1b4536034859339c5540c130e7b01a5d713ee8a014a4a3685549b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e316133bfd643cc5b31c73354f2285cc

SHA1
68a42c193c39900ff1ea651718ced71a2719ce27

SHA256
4d4aacaf36708aabff5653b48229eef8cec60c407f229c2dbd22c2fd3e066551

SHA512
8a5b54a27617650e0cdd0b4f2fb6716de02224741dc88cbe8aa4cee7721b3caa9bea666043da0040426b7f84bbb6f106d3c8a3817fd0c2a76efed085a9f7ebbd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
57d7adbc3e039ed23aede421bb75ff62

SHA1
0c2b64805d346043c70099f058fd21076cb5eb1a

SHA256
c7656dd81b85dae5d14be922511b8005b70faad131bdaf128f7737012ed1b3b9

SHA512
b360f8fbed806f13cdc71c5dc62556e77b7565112872575c728e2ab41b225f09e09e97d44420a29d154d2e03c88fa2f174f8c356c738f96a1f4da727783aef18

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
db012d79eddae1790cc4d52858d68122

SHA1
d6131b1eb2f921fe410c9267d2eae7cb616ad55f

SHA256
48b7dee1a27bc328c231ebaef6dbf2979342ef67c774b876a466b31b9dd33168

SHA512
0509a0ed89bb27929349433ee45c902240d0b7b478f45136b53344c83d8652047ad81e5a3db87e632882a4a69f515783c0370a3321c609a14d0f594b7a148674

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
b4a52d9449b068688ad8f448e507f97c

SHA1
c04a6f34d0f13c9f899baaf4a68e3ad3bcdfd582

SHA256
7e0f2927b47237728e50777ffda662baaff922c9c5bb4a6be435e210b34328c2

SHA512
4718da82b1e5d7ba555007b86b95ce0c8ec08470dfeb9029fb90f31b8fbdc21ddff76cec1453a0604eb4a18df11be4accdfab2d0d4fef21069130a8aa6a03854

Download Submit
C:\Windows\rss\csrss.exe

Filesize
2.1MB

MD5
be2c96223729b0ab8b715d6baaa9e024

SHA1
25367ab3e5ef2efb1d8ce0d8eb157d038512345a

SHA256
bdd6098bb4640064b0c62469d4723b3f11adcefd5d6691bff520a5439762bc49

SHA512
8b78cbde0ee5b74003f28a34001c4d19a94a3a81ce972210e06ab8cba23da09bf620cc697139bea4dae3c13f67535c3a301ef649225bd6a13e88581f50b91342

Download Submit
C:\Windows\windefender.exe

Filesize
1.2MB

MD5
a43d1181c5c818d7d78e782ec1828903

SHA1
ce87b6b09f2b30c85a2420d7e1471a0c2db55475

SHA256
57b26db83b472d3aa74fdc739ae2a2aab69513a334cc9850d2adc81053093cf4

SHA512
5985d550e97d5a383a3b121dd3c42ef032f3815afa7ac6ff35c0935fb143c51c5ac0406b0dd854c1936aff98d8da964ba1c390187b81380ee891ac8708cdd6d4

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/848-129-0x0000000005DA0000-0x00000000060F7000-memory.dmp

Filesize
3.3MB

Download
memory/848-132-0x0000000071140000-0x0000000071497000-memory.dmp

Filesize
3.3MB

Download
memory/848-131-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/1000-202-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1000-206-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1056-153-0x0000000006360000-0x00000000063AC000-memory.dmp

Filesize
304KB

Download
memory/1056-166-0x0000000006120000-0x0000000006135000-memory.dmp

Filesize
84KB

Download
memory/1056-165-0x00000000078D0000-0x00000000078E1000-memory.dmp

Filesize
68KB

Download
memory/1056-154-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

Filesize
304KB

Download
memory/1056-143-0x0000000005D30000-0x0000000006087000-memory.dmp

Filesize
3.3MB

Download
memory/1056-164-0x0000000007590000-0x0000000007634000-memory.dmp

Filesize
656KB

Download
memory/1056-155-0x0000000071110000-0x0000000071467000-memory.dmp

Filesize
3.3MB

Download
memory/1240-209-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1240-205-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1240-215-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1260-118-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/2652-194-0x0000000004760000-0x0000000004B61000-memory.dmp

Filesize
4.0MB

Download
memory/2652-195-0x0000000006690000-0x0000000006F7B000-memory.dmp

Filesize
8.9MB

Download
memory/2652-141-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/2652-1-0x0000000004760000-0x0000000004B61000-memory.dmp

Filesize
4.0MB

Download
memory/2652-3-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/2652-2-0x0000000006690000-0x0000000006F7B000-memory.dmp

Filesize
8.9MB

Download
memory/3132-85-0x00000000711F0000-0x0000000071547000-memory.dmp

Filesize
3.3MB

Download
memory/3132-74-0x0000000005A70000-0x0000000005DC7000-memory.dmp

Filesize
3.3MB

Download
memory/3132-84-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/3692-178-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

Filesize
304KB

Download
memory/3692-176-0x0000000005F60000-0x00000000062B7000-memory.dmp

Filesize
3.3MB

Download
memory/3692-179-0x0000000071040000-0x0000000071397000-memory.dmp

Filesize
3.3MB

Download
memory/4160-36-0x00000000084A0000-0x0000000008B1A000-memory.dmp

Filesize
6.5MB

Download
memory/4160-22-0x0000000006E50000-0x0000000006E96000-memory.dmp

Filesize
280KB

Download
memory/4160-4-0x00000000033C0000-0x00000000033F6000-memory.dmp

Filesize
216KB

Download
memory/4160-5-0x0000000074D30000-0x00000000754E1000-memory.dmp

Filesize
7.7MB

Download
memory/4160-6-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/4160-7-0x0000000005E60000-0x000000000648A000-memory.dmp

Filesize
6.2MB

Download
memory/4160-8-0x00000000059E0000-0x0000000005A02000-memory.dmp

Filesize
136KB

Download
memory/4160-9-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/4160-10-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/4160-47-0x0000000074D30000-0x00000000754E1000-memory.dmp

Filesize
7.7MB

Download
memory/4160-44-0x0000000007F50000-0x0000000007F58000-memory.dmp

Filesize
32KB

Download
memory/4160-43-0x0000000007F60000-0x0000000007F7A000-memory.dmp

Filesize
104KB

Download
memory/4160-42-0x0000000007F10000-0x0000000007F25000-memory.dmp

Filesize
84KB

Download
memory/4160-41-0x0000000007F00000-0x0000000007F0E000-memory.dmp

Filesize
56KB

Download
memory/4160-40-0x0000000007EC0000-0x0000000007ED1000-memory.dmp

Filesize
68KB

Download
memory/4160-39-0x0000000007FA0000-0x0000000008036000-memory.dmp

Filesize
600KB

Download
memory/4160-38-0x0000000007E90000-0x0000000007E9A000-memory.dmp

Filesize
40KB

Download
memory/4160-37-0x0000000007E50000-0x0000000007E6A000-memory.dmp

Filesize
104KB

Download
memory/4160-35-0x0000000007D30000-0x0000000007DD4000-memory.dmp

Filesize
656KB

Download
memory/4160-34-0x0000000007D10000-0x0000000007D2E000-memory.dmp

Filesize
120KB

Download
memory/4160-25-0x0000000071130000-0x0000000071487000-memory.dmp

Filesize
3.3MB

Download
memory/4160-23-0x0000000007CD0000-0x0000000007D04000-memory.dmp

Filesize
208KB

Download
memory/4160-24-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/4160-19-0x0000000006490000-0x00000000067E7000-memory.dmp

Filesize
3.3MB

Download
memory/4160-21-0x00000000068F0000-0x000000000693C000-memory.dmp

Filesize
304KB

Download
memory/4160-20-0x00000000068A0000-0x00000000068BE000-memory.dmp

Filesize
120KB

Download
memory/4408-226-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/4408-220-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/4408-240-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/4408-238-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/4408-235-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/4408-232-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/4408-229-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/4408-208-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/4408-223-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/4408-211-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/4408-197-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/4408-217-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/4408-213-0x0000000000400000-0x000000000441F000-memory.dmp

Filesize
64.1MB

Download
memory/4652-104-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/4652-105-0x00000000711F0000-0x0000000071547000-memory.dmp

Filesize
3.3MB

Download
memory/4904-70-0x0000000007550000-0x0000000007565000-memory.dmp

Filesize
84KB

Download
memory/4904-69-0x0000000007500000-0x0000000007511000-memory.dmp

Filesize
68KB

Download
memory/4904-59-0x00000000718E0000-0x0000000071C37000-memory.dmp

Filesize
3.3MB

Download
memory/4904-68-0x00000000071D0000-0x0000000007274000-memory.dmp

Filesize
656KB

Download
memory/4904-58-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/4904-57-0x0000000005AE0000-0x0000000005E37000-memory.dmp

Filesize
3.3MB

Download