glupteba | 505605b429f8062d45de5fcae156f055a44f3becbc94637d7037e18e1c5c33cb

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe = "0"	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3180	powershell.exe
1708	powershell.exe
5056	powershell.exe
5844	powershell.exe
2364	powershell.exe
5648	powershell.exe
1636	powershell.exe
6052	powershell.exe
5956	powershell.exe
6060	powershell.exe
4752	powershell.exe
416	powershell.exe
1332	powershell.exe
2624	powershell.exe
3184	powershell.exe
3044	powershell.exe
3996	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3808	netsh.exe
2120	netsh.exe
5616	netsh.exe
6128	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6yQbrQi0sv0G2TdJ7vwQEAk7.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OsszhNJbAfoyEZa52VjekIny.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hgmZp3SlbDWyGE4tyOX9sZH3.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diB4k3H7knkkHYsLRIKl2S2x.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6mXSr85Z8pFoSrUXkIPn7vic.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bETkp0CAqB5odeTh5hAT6BVl.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BwaCChzBdPyCVrxSXUAIHXHT.bat	jsc.exe

Executes dropped EXE 5 IoCs

pid	Process
3128	76rQIBXB9tgY2uy68cp90h7C.exe
1712	Vp64UwtDs5acXvXL2pp0uf6K.exe
1996	2htccXJDHMut0zfN238yw0Dd.exe
4196	ZBJN4arHrVsEOzqKTXFsaZVI.exe
4552	78U9Lg3sTRdvRg6Zj0o0ElyM.exe

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe = "0"	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	pastebin.com
28	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 320	4028	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3996	powershell.exe
3996	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	320	jsc.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 3996	4028	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	91
PID 4028 wrote to memory of 3996	4028	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	91
PID 4028 wrote to memory of 320	4028	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	93
PID 4028 wrote to memory of 320	4028	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	93
PID 4028 wrote to memory of 320	4028	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	93
PID 4028 wrote to memory of 320	4028	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	93
PID 4028 wrote to memory of 320	4028	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	93
PID 4028 wrote to memory of 320	4028	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	93
PID 4028 wrote to memory of 320	4028	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	93
PID 4028 wrote to memory of 320	4028	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	93
PID 4028 wrote to memory of 3796	4028	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	94
PID 4028 wrote to memory of 3796	4028	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	94
PID 4028 wrote to memory of 3796	4028	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	94
PID 320 wrote to memory of 3128	320	jsc.exe	105
PID 320 wrote to memory of 3128	320	jsc.exe	105
PID 320 wrote to memory of 3128	320	jsc.exe	105
PID 320 wrote to memory of 1712	320	jsc.exe	102
PID 320 wrote to memory of 1712	320	jsc.exe	102
PID 320 wrote to memory of 1712	320	jsc.exe	102
PID 320 wrote to memory of 1996	320	jsc.exe	103
PID 320 wrote to memory of 1996	320	jsc.exe	103
PID 320 wrote to memory of 1996	320	jsc.exe	103
PID 320 wrote to memory of 4196	320	jsc.exe	104
PID 320 wrote to memory of 4196	320	jsc.exe	104
PID 320 wrote to memory of 4196	320	jsc.exe	104
PID 320 wrote to memory of 4552	320	jsc.exe	106
PID 320 wrote to memory of 4552	320	jsc.exe	106
PID 320 wrote to memory of 4552	320	jsc.exe	106

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe

C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe
"C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe"
1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Users\Admin\Pictures\Vp64UwtDs5acXvXL2pp0uf6K.exe
    "C:\Users\Admin\Pictures\Vp64UwtDs5acXvXL2pp0uf6K.exe"
    3⤵
    - Executes dropped EXE
    PID:1712
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1708
  - - C:\Users\Admin\Pictures\Vp64UwtDs5acXvXL2pp0uf6K.exe
      "C:\Users\Admin\Pictures\Vp64UwtDs5acXvXL2pp0uf6K.exe"
      4⤵
      PID:1920
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2476
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:6128
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3044
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5648
- - C:\Users\Admin\Pictures\2htccXJDHMut0zfN238yw0Dd.exe
    "C:\Users\Admin\Pictures\2htccXJDHMut0zfN238yw0Dd.exe"
    3⤵
    - Executes dropped EXE
    PID:1996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5056
  - - C:\Users\Admin\Pictures\2htccXJDHMut0zfN238yw0Dd.exe
      "C:\Users\Admin\Pictures\2htccXJDHMut0zfN238yw0Dd.exe"
      4⤵
      PID:5468
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5752
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3808
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1332
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5844
- - C:\Users\Admin\Pictures\ZBJN4arHrVsEOzqKTXFsaZVI.exe
    "C:\Users\Admin\Pictures\ZBJN4arHrVsEOzqKTXFsaZVI.exe"
    3⤵
    - Executes dropped EXE
    PID:4196
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3184
  - - C:\Users\Admin\Pictures\ZBJN4arHrVsEOzqKTXFsaZVI.exe
      "C:\Users\Admin\Pictures\ZBJN4arHrVsEOzqKTXFsaZVI.exe"
      4⤵
      PID:5368
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1636
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5724
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5616
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4752
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3180
- - C:\Users\Admin\Pictures\76rQIBXB9tgY2uy68cp90h7C.exe
    "C:\Users\Admin\Pictures\76rQIBXB9tgY2uy68cp90h7C.exe"
    3⤵
    - Executes dropped EXE
    PID:3128
  - - C:\Users\Admin\AppData\Local\Temp\u2ew.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u2ew.0.exe"
      4⤵
      PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\u2ew.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u2ew.1.exe"
      4⤵
      PID:5192
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        
        PID:5708
- - C:\Users\Admin\Pictures\78U9Lg3sTRdvRg6Zj0o0ElyM.exe
    "C:\Users\Admin\Pictures\78U9Lg3sTRdvRg6Zj0o0ElyM.exe"
    3⤵
    - Executes dropped EXE
    PID:4552
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2624
  - - C:\Users\Admin\Pictures\78U9Lg3sTRdvRg6Zj0o0ElyM.exe
      "C:\Users\Admin\Pictures\78U9Lg3sTRdvRg6Zj0o0ElyM.exe"
      4⤵
      PID:5520
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6052
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5648
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2120
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2364
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry