glupteba | 3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97

Analysis

max time kernel
13s
max time network
134s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
09/05/2024, 19:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Size

4.1MB
MD5

ca47016e7d5480bc3619c70abb333de2
SHA1

c98ff7b99d19bf951b93e243f4f92a8136b99e31
SHA256

3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97
SHA512

c18986c42396bfb1b7ea64f7eb5f04d6f50cb737a9f4e6dba435d5023bce17d55402dd82517cff3d7abc5a64ef859d8734fd8765fdd580084a240aba72c4baf8
SSDEEP

98304:npLl5dh/cY//0ytMliSDJIrO0tWgVy355J08nZmlsCE:pLlNLHtGNcOLFp5JFwlsCE

Score

10^/10

glupteba dropper evasion execution loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 12 IoCs

resource	yara_rule
behavioral2/memory/2676-2-0x0000000005030000-0x000000000591B000-memory.dmp	family_glupteba
behavioral2/memory/2676-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1868-213-0x0000000000400000-0x0000000002EDD000-memory.dmp	family_glupteba
behavioral2/memory/1868-216-0x0000000000400000-0x0000000002EDD000-memory.dmp	family_glupteba
behavioral2/memory/1868-220-0x0000000000400000-0x0000000002EDD000-memory.dmp	family_glupteba
behavioral2/memory/1868-222-0x0000000000400000-0x0000000002EDD000-memory.dmp	family_glupteba
behavioral2/memory/1868-225-0x0000000000400000-0x0000000002EDD000-memory.dmp	family_glupteba
behavioral2/memory/1868-228-0x0000000000400000-0x0000000002EDD000-memory.dmp	family_glupteba
behavioral2/memory/1868-232-0x0000000000400000-0x0000000002EDD000-memory.dmp	family_glupteba
behavioral2/memory/1868-234-0x0000000000400000-0x0000000002EDD000-memory.dmp	family_glupteba
behavioral2/memory/1868-237-0x0000000000400000-0x0000000002EDD000-memory.dmp	family_glupteba
behavioral2/memory/1868-240-0x0000000000400000-0x0000000002EDD000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1908	netsh.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4340-203-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x000200000002aa15-204.dat	upx
behavioral2/memory/4340-207-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3216-206-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x000200000002aa15-202.dat	upx
behavioral2/memory/3216-211-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3216-217-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2784	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4652	powershell.exe
3824	powershell.exe
4256	powershell.exe
1956	powershell.exe
5044	powershell.exe
4476	powershell.exe
480	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2976	schtasks.exe
4812	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4476	powershell.exe
4476	powershell.exe
2676	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
2676	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
480	powershell.exe
480	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	2676	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Token: SeImpersonatePrivilege	2676	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Token: SeDebugPrivilege	480	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 4476	2676	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe	78
PID 2676 wrote to memory of 4476	2676	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe	78
PID 2676 wrote to memory of 4476	2676	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe	78
PID 2592 wrote to memory of 480	2592	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe	83
PID 2592 wrote to memory of 480	2592	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe	83
PID 2592 wrote to memory of 480	2592	3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe	83

C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
"C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
  "C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:480
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2332
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3824
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:1868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4256
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4812
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1956
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:1008
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2976
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:4340
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:3520
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:2784

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xyyiluwv.ss5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
24469b713785c95ba9fd21732935a75e

SHA1
f86fa89eae367076d5c63d72f63d352c2134495e

SHA256
11c84578538cafd5319ca59d7f173d3ef782456d488fcc312be86e87ef4dd6c2

SHA512
e2000f9abcb86b97d7afcb37fcc961582c0cdcd09379ce733156f6b5dc68c9d4aeca8611c0d1e50f19c3cc1ea2efb8b0a673b38a6c5212d3e1597985ef155d6a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
a3be135b4edbbe33db75b22b3e64db74

SHA1
fb1a4aae3844cd5a0f7f1c37326eea338287ed61

SHA256
b64602c523ae5b7efd4158e64ff58f3b807cc0ca12b5f61b4d33ee335988362b

SHA512
b8bee7982197c175d8a191295ca7a306d7183438892d4519951ef8e6233671ddd23635374c3c7c71fc6672d12e3c384c7d7fc988fc1e3628673db84e8adae01e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
a8d229e5eb4497c5e1252b6e6971cb1b

SHA1
ba5b65ca491c194dc63712e8c71eb19e15205067

SHA256
1f78dc406c714719e1e77e745dd342b34b5049ed84cf9b2386a8c552619aef53

SHA512
a552a0296da3e9890933dcf0c50fc2e57229a32e59218a2dc3898c1c2ed9b200d58924f94940572796450ab2f701c882a634fbd2c61f4a6e84ba30afea1bad5c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c98983ccc6fc947cff97d5fad22d1393

SHA1
9276a8de551abc4c3c3cd3aa7ac5fab948dc7631

SHA256
6b369b7e02d12bc0f513b1ce1024e0c3f095aef2e4040c85ddd2b2a72f5ebe3d

SHA512
2a1552100d5c15eabc55f7e5c4a9ff98097d1c4e1becad2efd82e69d3ac9555fbdca211588bb0fbe94f39bcb6eb5904af11f01cf48f22d49ee93db5993092bbf

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2e1bc34902797d74a92532966abe9d74

SHA1
9a0236a812931879d5a7420d78dca9c101e5bd10

SHA256
262883ad84efc388994b81539900312c589ee02c7f66b7abf7371134dd19cea7

SHA512
988613a84b98f4ecf10f768b0a70ef5f7a997cbd80cd10516c07a640b4fe13f60d25d7131553b3f6aed046aa2d8f045228ffd69869495a83dc7fc4ef21b74d0f

Download Submit
C:\Windows\rss\csrss.exe

Filesize
2.1MB

MD5
4fcf8c444b68867339a375bbcc8f0af9

SHA1
5ae2f5ed2426b68e3813f304c793babc28d3681c

SHA256
91ab2ba4122537bffec96c6ab46d43cb7c461885dd6b6aa24e319b05ef64e610

SHA512
e54f81e04f64b24b6dffaede53b6ab0fd0f4140141ad775dd077457e128e6a66572d700d5e580b46f4bdf553563f6678c7df411a0fadc4753666861ccb12b6c3

Download Submit
C:\Windows\windefender.exe

Filesize
1.9MB

MD5
48bb2b8b0b3d518ce9c666a3a9d5c412

SHA1
abaf622dba4f42473a663208fe6b961895d6de63

SHA256
3fa30f23230ba70708815b9edee678e96522739221ac214833d0477828307749

SHA512
84610f3fcb35484868537b76a27302eea7b3d110e50ede723654eda37ab427cb17a2f371787ad9fe05137659ecd8ba1240a0267b7ac0396b73c04705aeb83a7f

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/480-72-0x0000000006FB0000-0x0000000006FC5000-memory.dmp

Filesize
84KB

Download
memory/480-71-0x0000000006F60000-0x0000000006F71000-memory.dmp

Filesize
68KB

Download
memory/480-60-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

Filesize
304KB

Download
memory/480-70-0x0000000006C10000-0x0000000006CB4000-memory.dmp

Filesize
656KB

Download
memory/480-61-0x0000000070E20000-0x0000000071177000-memory.dmp

Filesize
3.3MB

Download
memory/480-51-0x0000000005490000-0x00000000057E7000-memory.dmp

Filesize
3.3MB

Download
memory/1868-216-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/1868-228-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/1868-234-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/1868-232-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/1868-192-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/1868-240-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/1868-208-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/1868-210-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/1868-213-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/1868-237-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/1868-220-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/1868-222-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/1868-225-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/1956-170-0x00000000059B0000-0x00000000059C5000-memory.dmp

Filesize
84KB

Download
memory/1956-155-0x0000000005BD0000-0x0000000005F27000-memory.dmp

Filesize
3.3MB

Download
memory/1956-157-0x0000000006070000-0x00000000060BC000-memory.dmp

Filesize
304KB

Download
memory/1956-168-0x0000000007280000-0x0000000007324000-memory.dmp

Filesize
656KB

Download
memory/1956-159-0x0000000070C90000-0x0000000070FE7000-memory.dmp

Filesize
3.3MB

Download
memory/1956-169-0x00000000075A0000-0x00000000075B1000-memory.dmp

Filesize
68KB

Download
memory/1956-158-0x0000000070B10000-0x0000000070B5C000-memory.dmp

Filesize
304KB

Download
memory/2592-121-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2676-86-0x0000000003390000-0x000000000378A000-memory.dmp

Filesize
4.0MB

Download
memory/2676-124-0x0000000005030000-0x000000000591B000-memory.dmp

Filesize
8.9MB

Download
memory/2676-1-0x0000000003390000-0x000000000378A000-memory.dmp

Filesize
4.0MB

Download
memory/2676-2-0x0000000005030000-0x000000000591B000-memory.dmp

Filesize
8.9MB

Download
memory/2676-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2676-50-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2676-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3216-206-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3216-211-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3216-217-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3824-107-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

Filesize
304KB

Download
memory/3824-108-0x0000000070D70000-0x00000000710C7000-memory.dmp

Filesize
3.3MB

Download
memory/4256-137-0x0000000070D70000-0x00000000710C7000-memory.dmp

Filesize
3.3MB

Download
memory/4256-136-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

Filesize
304KB

Download
memory/4340-207-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4340-203-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4476-23-0x0000000006610000-0x0000000006656000-memory.dmp

Filesize
280KB

Download
memory/4476-43-0x0000000007870000-0x0000000007885000-memory.dmp

Filesize
84KB

Download
memory/4476-39-0x00000000077F0000-0x00000000077FA000-memory.dmp

Filesize
40KB

Download
memory/4476-38-0x00000000077B0000-0x00000000077CA000-memory.dmp

Filesize
104KB

Download
memory/4476-35-0x0000000007670000-0x000000000768E000-memory.dmp

Filesize
120KB

Download
memory/4476-36-0x0000000007690000-0x0000000007734000-memory.dmp

Filesize
656KB

Download
memory/4476-41-0x0000000007810000-0x0000000007821000-memory.dmp

Filesize
68KB

Download
memory/4476-21-0x0000000006200000-0x000000000621E000-memory.dmp

Filesize
120KB

Download
memory/4476-48-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/4476-6-0x0000000005440000-0x0000000005A6A000-memory.dmp

Filesize
6.2MB

Download
memory/4476-10-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/4476-9-0x0000000005380000-0x00000000053A2000-memory.dmp

Filesize
136KB

Download
memory/4476-37-0x0000000007DF0000-0x000000000846A000-memory.dmp

Filesize
6.5MB

Download
memory/4476-11-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/4476-20-0x0000000005DD0000-0x0000000006127000-memory.dmp

Filesize
3.3MB

Download
memory/4476-22-0x0000000006250000-0x000000000629C000-memory.dmp

Filesize
304KB

Download
memory/4476-26-0x0000000070D70000-0x00000000710C7000-memory.dmp

Filesize
3.3MB

Download
memory/4476-8-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/4476-7-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/4476-25-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

Filesize
304KB

Download
memory/4476-5-0x0000000002A40000-0x0000000002A76000-memory.dmp

Filesize
216KB

Download
memory/4476-4-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/4476-24-0x0000000007610000-0x0000000007644000-memory.dmp

Filesize
208KB

Download
memory/4476-42-0x0000000007860000-0x000000000786E000-memory.dmp

Filesize
56KB

Download
memory/4476-40-0x0000000007900000-0x0000000007996000-memory.dmp

Filesize
600KB

Download
memory/4476-44-0x00000000078C0000-0x00000000078DA000-memory.dmp

Filesize
104KB

Download
memory/4476-45-0x00000000078B0000-0x00000000078B8000-memory.dmp

Filesize
32KB

Download
memory/4652-88-0x0000000071530000-0x0000000071887000-memory.dmp

Filesize
3.3MB

Download
memory/4652-87-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

Filesize
304KB

Download
memory/4652-84-0x0000000005B10000-0x0000000005E67000-memory.dmp

Filesize
3.3MB

Download
memory/5044-181-0x0000000070B10000-0x0000000070B5C000-memory.dmp

Filesize
304KB

Download
memory/5044-182-0x0000000070C90000-0x0000000070FE7000-memory.dmp

Filesize
3.3MB

Download