glupteba | b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663

Analysis

max time kernel
31s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Size

4.1MB
MD5

4cac48f42c1abb48c8fbedd4dcdc45eb
SHA1

5a3dcaf9ce9b320120048b8ef03874a62f7bfb35
SHA256

b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663
SHA512

ae31094542a90636fda51c69c7a8fe77f748d132e2d13cf658930543b45fd0b743b70ec2f181ae14d6df0a29a1172b767df953600806c603d063614199419de4
SSDEEP

98304:giuI6DIhBokpgzX0pmgZkEzb3q3S3MwW582eGBSMrIG:giuIfSwmakEv3q3Yd2HBSK

Score

10^/10

glupteba dropper execution loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 6 IoCs

resource	yara_rule
behavioral1/memory/4336-2-0x0000000004CD0000-0x00000000055BB000-memory.dmp	family_glupteba
behavioral1/memory/4336-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4336-46-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral1/memory/4336-48-0x0000000004CD0000-0x00000000055BB000-memory.dmp	family_glupteba
behavioral1/memory/4336-61-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1256-60-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1844	powershell.exe
4696	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4520	1844	WerFault.exe	96

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1844	powershell.exe
1844	powershell.exe
4336	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
4336	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
4696	powershell.exe
4696	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	4336	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Token: SeImpersonatePrivilege	4336	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
Token: SeDebugPrivilege	4696	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 1844	4336	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe	96
PID 4336 wrote to memory of 1844	4336	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe	96
PID 4336 wrote to memory of 1844	4336	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe	96
PID 1256 wrote to memory of 4696	1256	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe	103
PID 1256 wrote to memory of 4696	1256	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe	103
PID 1256 wrote to memory of 4696	1256	b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe	103

C:\Users\Admin\AppData\Local\Temp\b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
"C:\Users\Admin\AppData\Local\Temp\b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 2464
    3⤵
    - Program crash
    PID:4520
- C:\Users\Admin\AppData\Local\Temp\b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe
  "C:\Users\Admin\AppData\Local\Temp\b80c4f969de12b5fd6b4915beac038201fd7934bf8b56c52b401326e7714b663.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1844 -ip 1844
1⤵
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n1yt1pyl.okl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1256-60-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1844-28-0x0000000007BF0000-0x0000000007C22000-memory.dmp

Filesize
200KB

Download
memory/1844-25-0x0000000007800000-0x0000000007876000-memory.dmp

Filesize
472KB

Download
memory/1844-5-0x0000000003080000-0x00000000030B6000-memory.dmp

Filesize
216KB

Download
memory/1844-7-0x0000000005960000-0x0000000005F88000-memory.dmp

Filesize
6.2MB

Download
memory/1844-6-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-8-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-31-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-15-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/1844-14-0x00000000056A0000-0x00000000056C2000-memory.dmp

Filesize
136KB

Download
memory/1844-20-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/1844-21-0x0000000006290000-0x00000000065E4000-memory.dmp

Filesize
3.3MB

Download
memory/1844-22-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/1844-23-0x00000000066B0000-0x00000000066FC000-memory.dmp

Filesize
304KB

Download
memory/1844-24-0x0000000006A80000-0x0000000006AC4000-memory.dmp

Filesize
272KB

Download
memory/1844-30-0x0000000070A60000-0x0000000070DB4000-memory.dmp

Filesize
3.3MB

Download
memory/1844-26-0x0000000008100000-0x000000000877A000-memory.dmp

Filesize
6.5MB

Download
memory/1844-27-0x00000000077B0000-0x00000000077CA000-memory.dmp

Filesize
104KB

Download
memory/1844-29-0x00000000708E0000-0x000000007092C000-memory.dmp

Filesize
304KB

Download
memory/1844-4-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/1844-44-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-43-0x0000000007D40000-0x0000000007D4A000-memory.dmp

Filesize
40KB

Download
memory/1844-41-0x0000000007C30000-0x0000000007C4E000-memory.dmp

Filesize
120KB

Download
memory/1844-42-0x0000000007C50000-0x0000000007CF3000-memory.dmp

Filesize
652KB

Download
memory/4336-46-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4336-1-0x00000000048C0000-0x0000000004CC5000-memory.dmp

Filesize
4.0MB

Download
memory/4336-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4336-47-0x00000000048C0000-0x0000000004CC5000-memory.dmp

Filesize
4.0MB

Download
memory/4336-48-0x0000000004CD0000-0x00000000055BB000-memory.dmp

Filesize
8.9MB

Download
memory/4336-2-0x0000000004CD0000-0x00000000055BB000-memory.dmp

Filesize
8.9MB

Download
memory/4336-61-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4696-63-0x0000000071060000-0x00000000713B4000-memory.dmp

Filesize
3.3MB

Download
memory/4696-51-0x0000000005B40000-0x0000000005E94000-memory.dmp

Filesize
3.3MB

Download
memory/4696-62-0x00000000708E0000-0x000000007092C000-memory.dmp

Filesize
304KB

Download
memory/4696-73-0x0000000007390000-0x0000000007433000-memory.dmp

Filesize
652KB

Download
memory/4696-74-0x0000000007770000-0x0000000007806000-memory.dmp

Filesize
600KB

Download
memory/4696-75-0x0000000007690000-0x00000000076A1000-memory.dmp

Filesize
68KB

Download
memory/4696-76-0x00000000076D0000-0x00000000076DE000-memory.dmp

Filesize
56KB

Download
memory/4696-77-0x00000000076E0000-0x00000000076F4000-memory.dmp

Filesize
80KB

Download
memory/4696-78-0x0000000007720000-0x000000000773A000-memory.dmp

Filesize
104KB

Download
memory/4696-79-0x0000000007710000-0x0000000007718000-memory.dmp

Filesize
32KB

Download