Analysis Overview
SHA256
2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e
Threat Level: Known bad
The file 2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e was found to be: Known bad.
Malicious Activity Summary
Glupteba
Glupteba payload
Modifies Windows Firewall
UPX packed file
Launches sc.exe
Command and Scripting Interpreter: PowerShell
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-15 23:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-15 23:41
Reported
2024-05-15 23:44
Platform
win10v2004-20240426-en
Max time kernel
18s
Max time network
152s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe
"C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe
"C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 200.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4b907ae9-bf96-4c8a-9bca-e8db9a6cf551.uuid.dumppage.org | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stun3.l.google.com | udp |
| US | 8.8.8.8:53 | server12.dumppage.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 74.125.250.129:19302 | stun3.l.google.com | udp |
| BG | 185.82.216.111:443 | server12.dumppage.org | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 129.250.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| BG | 185.82.216.111:443 | server12.dumppage.org | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| BG | 185.82.216.111:443 | server12.dumppage.org | tcp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
memory/3560-1-0x0000000004800000-0x0000000004BFC000-memory.dmp
memory/3560-2-0x0000000004C00000-0x00000000054EB000-memory.dmp
memory/3560-3-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/364-4-0x0000000074F5E000-0x0000000074F5F000-memory.dmp
memory/364-5-0x0000000002F80000-0x0000000002FB6000-memory.dmp
memory/364-6-0x0000000005890000-0x0000000005EB8000-memory.dmp
memory/364-7-0x0000000074F50000-0x0000000075700000-memory.dmp
memory/364-8-0x0000000074F50000-0x0000000075700000-memory.dmp
memory/364-9-0x00000000056A0000-0x00000000056C2000-memory.dmp
memory/364-11-0x0000000005F30000-0x0000000005F96000-memory.dmp
memory/364-10-0x00000000057C0000-0x0000000005826000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmeddwc0.c4l.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/364-17-0x0000000005FA0000-0x00000000062F4000-memory.dmp
memory/364-22-0x0000000006560000-0x000000000657E000-memory.dmp
memory/364-23-0x00000000065E0000-0x000000000662C000-memory.dmp
memory/364-24-0x0000000006AA0000-0x0000000006AE4000-memory.dmp
memory/364-25-0x0000000007880000-0x00000000078F6000-memory.dmp
memory/364-27-0x0000000007920000-0x000000000793A000-memory.dmp
memory/364-26-0x0000000007F80000-0x00000000085FA000-memory.dmp
memory/364-29-0x0000000070DF0000-0x0000000070E3C000-memory.dmp
memory/364-28-0x0000000007AE0000-0x0000000007B12000-memory.dmp
memory/364-41-0x0000000007B20000-0x0000000007B3E000-memory.dmp
memory/364-42-0x0000000007B40000-0x0000000007BE3000-memory.dmp
memory/364-30-0x0000000074F50000-0x0000000075700000-memory.dmp
memory/364-44-0x0000000007C30000-0x0000000007C3A000-memory.dmp
memory/364-43-0x0000000074F50000-0x0000000075700000-memory.dmp
memory/364-31-0x00000000714F0000-0x0000000071844000-memory.dmp
memory/364-45-0x0000000007CF0000-0x0000000007D86000-memory.dmp
memory/364-46-0x0000000007C50000-0x0000000007C61000-memory.dmp
memory/364-47-0x0000000007C90000-0x0000000007C9E000-memory.dmp
memory/364-48-0x0000000007CA0000-0x0000000007CB4000-memory.dmp
memory/364-49-0x0000000007D90000-0x0000000007DAA000-memory.dmp
memory/364-50-0x0000000007CD0000-0x0000000007CD8000-memory.dmp
memory/364-53-0x0000000074F50000-0x0000000075700000-memory.dmp
memory/3560-56-0x0000000004C00000-0x00000000054EB000-memory.dmp
memory/3560-57-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3560-54-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/4544-67-0x00000000065E0000-0x0000000006934000-memory.dmp
memory/4544-68-0x0000000006A20000-0x0000000006A6C000-memory.dmp
memory/4544-80-0x0000000007BB0000-0x0000000007C53000-memory.dmp
memory/4544-70-0x0000000071070000-0x00000000713C4000-memory.dmp
memory/4544-69-0x0000000070EF0000-0x0000000070F3C000-memory.dmp
memory/4544-81-0x0000000007EE0000-0x0000000007EF1000-memory.dmp
memory/4544-82-0x0000000007F30000-0x0000000007F44000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/4992-95-0x0000000005B80000-0x0000000005ED4000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f1105e15715eef3ada188a151b5d9b5a |
| SHA1 | 013572fb6921a952097ee7b200ce9b1cc249cbfe |
| SHA256 | 3dda8ddd13bde2bba28642048633263172b90b5d492ab4c71412fe58d888bcdb |
| SHA512 | 6cb5772359b1aaa3b0bebeeef1c608175e5b5a5329173bf78030b87a7b57bad2edf362f45155ec87d3177681fa050b36301654112984ea695d7b9ae06c63227f |
memory/4992-98-0x0000000071670000-0x00000000719C4000-memory.dmp
memory/4992-97-0x0000000070EF0000-0x0000000070F3C000-memory.dmp
memory/4568-118-0x0000000005640000-0x0000000005994000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 0cac594c71fd7a7be1d5e7025c7948d6 |
| SHA1 | b799843dc5fb966087f282c922f63d8502da3e33 |
| SHA256 | fcfafd96e6e0d2bf1dcf7dffeee393d627c9c7f358142698513fcad42da7ed05 |
| SHA512 | 577677f2ed354d9a46f644340bc41559edfb19fd2858adeb7577455b3202b8c257446d9de26c0409432c0731518c7cdd1df54aa03e403db3ca994c30ccceecc8 |
memory/4568-121-0x0000000071300000-0x0000000071654000-memory.dmp
memory/4568-120-0x0000000070EF0000-0x0000000070F3C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 37dd4d82523bbfb21204e7f533525b6f |
| SHA1 | ee3e26ea8f51d5030ed5c8eb4bc5c55a084082d3 |
| SHA256 | 2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e |
| SHA512 | 6f6717ad6eed49d06eac3c90e4246f756f1cac7a4fba9f01bad477912b7496e5e146cd182b9ed8084f51e4cafd56ff117842aa92b2398977178688ca1ccc6b50 |
memory/2012-135-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/364-147-0x0000000006180000-0x00000000064D4000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | bbcebbfca78c1bc2c1c02a176b37a251 |
| SHA1 | f7cb8934581ad0ab5c639653ef1374651d47d24e |
| SHA256 | de8e7abed553ba8ba56904065e5fc1073d96e8e782d8855e24c17ab140945aee |
| SHA512 | 5e69b9272728d4c5bc00a1cb1cea490727c63f1b147a714a433c57a67fd4b53a34b72c08d44ab479969b0cc6cc2c6a7f78bd8ceadcca2938ecd4e0a14c3b6a27 |
memory/364-149-0x0000000006E60000-0x0000000006EAC000-memory.dmp
memory/364-161-0x0000000007B70000-0x0000000007C13000-memory.dmp
memory/364-151-0x0000000071610000-0x0000000071964000-memory.dmp
memory/364-150-0x0000000070E50000-0x0000000070E9C000-memory.dmp
memory/364-162-0x0000000007D10000-0x0000000007D21000-memory.dmp
memory/364-163-0x0000000006690000-0x00000000066A4000-memory.dmp
memory/1676-174-0x0000000005650000-0x00000000059A4000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 851851ae444b9c3fb26f8959d462c4c6 |
| SHA1 | 11e1b09b0c18a5daea0c40e535710f9458448a19 |
| SHA256 | 0a6d1e5cbccef898a257f4d92218e33fb10554829393f3fddaffcede4f5476d5 |
| SHA512 | f5da3a25e141ed0918904e85f36dadb2628baa5d3785758ce59a27fe88d05d2ff36bb99d844f74bfacb16a713c4aaf8c23d525ea0053dba418207676ae8a8ba4 |
memory/1676-176-0x0000000006030000-0x000000000607C000-memory.dmp
memory/1676-178-0x0000000070EF0000-0x0000000071244000-memory.dmp
memory/1676-188-0x0000000006D20000-0x0000000006DC3000-memory.dmp
memory/1676-177-0x0000000070D70000-0x0000000070DBC000-memory.dmp
memory/1676-189-0x0000000007020000-0x0000000007031000-memory.dmp
memory/1676-190-0x00000000055A0000-0x00000000055B4000-memory.dmp
memory/4048-201-0x0000000005900000-0x0000000005C54000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3be9144d4cd515075c9087c316ca6a96 |
| SHA1 | 6180b9d0c2113c9543dc1d4878084294ea5f3d89 |
| SHA256 | bd6a6deebc3fc207161ef76ee853157af42cb66b1874311aad6f0a04d8bd033c |
| SHA512 | 2d0b7345531edc0e15ad72d2ff1a7c4afdbe6030901a01dddce9aa9e00378fec764b139267d4f3ae92f31704c8e7645b396a05019213bcf18e57438c7a9e5c5b |
memory/4048-204-0x0000000071170000-0x00000000714C4000-memory.dmp
memory/4048-203-0x0000000070D70000-0x0000000070DBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/1448-215-0x0000000000400000-0x0000000002B0B000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/4796-229-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1928-228-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4796-225-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1448-230-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/1928-232-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1448-231-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/1448-233-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/1928-235-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1448-236-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/1448-238-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/1448-239-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/1448-241-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/1448-244-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/1448-246-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/1448-247-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/1448-249-0x0000000000400000-0x0000000002B0B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-15 23:41
Reported
2024-05-15 23:44
Platform
win11-20240426-en
Max time kernel
8s
Max time network
151s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1372 wrote to memory of 4428 | N/A | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1372 wrote to memory of 4428 | N/A | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1372 wrote to memory of 4428 | N/A | C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe
"C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe
"C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6ec865f7-730b-4733-90d9-8a2637382f3e.uuid.dumppage.org | udp |
| US | 8.8.8.8:53 | server1.dumppage.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 74.125.250.129:19302 | stun.l.google.com | udp |
| BG | 185.82.216.111:443 | server1.dumppage.org | tcp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| BG | 185.82.216.111:443 | server1.dumppage.org | tcp |
| BG | 185.82.216.111:443 | server1.dumppage.org | tcp |
Files
memory/1372-1-0x0000000004830000-0x0000000004C36000-memory.dmp
memory/1372-2-0x0000000004C40000-0x000000000552B000-memory.dmp
memory/1372-3-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4428-4-0x0000000074B5E000-0x0000000074B5F000-memory.dmp
memory/4428-5-0x0000000002620000-0x0000000002656000-memory.dmp
memory/4428-7-0x0000000074B50000-0x0000000075301000-memory.dmp
memory/4428-6-0x0000000004F30000-0x000000000555A000-memory.dmp
memory/4428-8-0x0000000004C30000-0x0000000004C52000-memory.dmp
memory/4428-9-0x0000000004D90000-0x0000000004DF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nlo3jvj4.bud.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4428-10-0x00000000055D0000-0x0000000005636000-memory.dmp
memory/4428-16-0x0000000074B50000-0x0000000075301000-memory.dmp
memory/4428-20-0x00000000056C0000-0x0000000005A17000-memory.dmp
memory/4428-21-0x0000000005AC0000-0x0000000005ADE000-memory.dmp
memory/4428-22-0x0000000005AF0000-0x0000000005B3C000-memory.dmp
memory/4428-23-0x0000000006040000-0x0000000006086000-memory.dmp
memory/4428-24-0x0000000006EF0000-0x0000000006F24000-memory.dmp
memory/4428-26-0x0000000074B50000-0x0000000075301000-memory.dmp
memory/4428-27-0x0000000070F40000-0x0000000071297000-memory.dmp
memory/4428-25-0x0000000070DC0000-0x0000000070E0C000-memory.dmp
memory/4428-37-0x0000000006F50000-0x0000000006FF4000-memory.dmp
memory/4428-36-0x0000000006F30000-0x0000000006F4E000-memory.dmp
memory/4428-38-0x0000000074B50000-0x0000000075301000-memory.dmp
memory/4428-39-0x00000000076C0000-0x0000000007D3A000-memory.dmp
memory/4428-40-0x0000000007080000-0x000000000709A000-memory.dmp
memory/4428-41-0x00000000070C0000-0x00000000070CA000-memory.dmp
memory/4428-42-0x00000000071D0000-0x0000000007266000-memory.dmp
memory/4428-43-0x00000000070E0000-0x00000000070F1000-memory.dmp
memory/4428-44-0x0000000007130000-0x000000000713E000-memory.dmp
memory/4428-45-0x0000000007140000-0x0000000007155000-memory.dmp
memory/4428-46-0x0000000007190000-0x00000000071AA000-memory.dmp
memory/4428-47-0x00000000071B0000-0x00000000071B8000-memory.dmp
memory/4428-50-0x0000000074B50000-0x0000000075301000-memory.dmp
memory/1372-52-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/1372-61-0x0000000004830000-0x0000000004C36000-memory.dmp
memory/1372-62-0x0000000004C40000-0x000000000552B000-memory.dmp
memory/2496-63-0x0000000070DC0000-0x0000000070E0C000-memory.dmp
memory/2496-73-0x00000000076C0000-0x0000000007764000-memory.dmp
memory/2496-64-0x0000000070F40000-0x0000000071297000-memory.dmp
memory/2496-74-0x00000000079F0000-0x0000000007A01000-memory.dmp
memory/2496-75-0x0000000007A40000-0x0000000007A55000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | d0c46cad6c0778401e21910bd6b56b70 |
| SHA1 | 7be418951ea96326aca445b8dfe449b2bfa0dca6 |
| SHA256 | 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02 |
| SHA512 | 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949 |
memory/2056-87-0x0000000005B30000-0x0000000005E87000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | cd8ed0cb63c707660b16b97289b56f7f |
| SHA1 | 6dfdf5197ae643e388eb8922926be2d93c47aa8c |
| SHA256 | 26a7d316f0e89cb36e2e9ba8cb91b800c5075743f59108616066bc48aef1c671 |
| SHA512 | 3c45cfe14cf2ea080c9c0118ebdff613f33b7bdb9748339385b116f23e6f34d57b77ea6c8cbaecea05ee476cf1b8045fe1bcda812bfc6d69d4a6e10245b83683 |
memory/2056-89-0x0000000070DC0000-0x0000000070E0C000-memory.dmp
memory/2056-90-0x0000000070FF0000-0x0000000071347000-memory.dmp
memory/2780-108-0x0000000005820000-0x0000000005B77000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c37cb92d23d77e684d4cb86bcc405c70 |
| SHA1 | c0dfb4734af42c665fbf120a4f4af347eb8d8669 |
| SHA256 | 5df6a5e55b25ab668fde4010a590c62e98853d4b25f847da2c404e8886d89465 |
| SHA512 | dd663fb777f4a563f41866761381f1dce0ab73be948e587df870c7cf83dc5ad3ef89f7b1750918b67f2092c2161d64fbb4b58bee4de3371638655662ac3400d9 |
memory/2780-110-0x0000000070DC0000-0x0000000070E0C000-memory.dmp
memory/2780-111-0x0000000070FD0000-0x0000000071327000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 37dd4d82523bbfb21204e7f533525b6f |
| SHA1 | ee3e26ea8f51d5030ed5c8eb4bc5c55a084082d3 |
| SHA256 | 2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e |
| SHA512 | 6f6717ad6eed49d06eac3c90e4246f756f1cac7a4fba9f01bad477912b7496e5e146cd182b9ed8084f51e4cafd56ff117842aa92b2398977178688ca1ccc6b50 |
memory/1372-128-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2856-124-0x0000000000400000-0x0000000002B0B000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b030f02698257f47086e6c290fa7b2c2 |
| SHA1 | f21948b4ba8fbcf9dfb9abbceaf0c50e2979d6ec |
| SHA256 | 2650565dcee17a6513ef92a138d0096f575c7c8c6a9b1187b8543e4d423f65aa |
| SHA512 | f4398251070e4478fcff1e05682aca580b64230496ecbfc814650050a9a60a83ef4b7d7a446ccf1a02540b783ac0b8d19abdddc7b368b3626c79a86ead8edea6 |
memory/3476-137-0x0000000005AE0000-0x0000000005E37000-memory.dmp
memory/3476-139-0x0000000070DC0000-0x0000000070E0C000-memory.dmp
memory/3476-140-0x0000000071700000-0x0000000071A57000-memory.dmp
memory/4116-150-0x0000000005830000-0x0000000005B87000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 04b954d32a4318ec7c472a724363d40f |
| SHA1 | bc134de2840c67986467e3f749c589e32a4558b8 |
| SHA256 | 58e066f18ce25f828c1198db64214aec691efbfb80bd5667df9d34bbefe17973 |
| SHA512 | cce9ffbd82d0e6f8c4e29d2a44b29ead9694537e3c5fe30cbf937110c689de282cd13a06e3b0681204018649252801d2c28f9056576e0a5d283e92790d9e141c |
memory/4116-160-0x0000000006380000-0x00000000063CC000-memory.dmp
memory/4116-161-0x0000000070CE0000-0x0000000070D2C000-memory.dmp
memory/4116-162-0x0000000070F30000-0x0000000071287000-memory.dmp
memory/4116-171-0x0000000007060000-0x0000000007104000-memory.dmp
memory/4116-172-0x00000000073B0000-0x00000000073C1000-memory.dmp
memory/4116-173-0x0000000005C10000-0x0000000005C25000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d20239e9f029557bbe0c22d5dcc03c64 |
| SHA1 | ea29013794f0c9ecccb910bfd7cac7d3e77aa50b |
| SHA256 | 5042e2393f400f2275e18b9c5058f006d41bda2a8481ba8f5c18ac23799602b3 |
| SHA512 | 9e795000e0a959c67c86733f90f5840a4236a676ed214b9c659037dc6e247472603d733d5a9f70facc441c74c3fb72f7768d5b33005cd3665e79120df33f4075 |
memory/3164-184-0x0000000070CE0000-0x0000000070D2C000-memory.dmp
memory/3164-185-0x0000000070F30000-0x0000000071287000-memory.dmp
memory/4896-195-0x0000000000400000-0x0000000002B0B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/1516-207-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/4220-211-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1516-210-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4896-212-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/4220-215-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4896-214-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/4896-217-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/4220-221-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4896-220-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/4896-223-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/4896-226-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/4220-230-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4896-229-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/4896-232-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/4896-235-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/4896-238-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/4896-241-0x0000000000400000-0x0000000002B0B000-memory.dmp