glupteba | 95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1

Analysis

max time kernel
14s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
16/05/2024, 12:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Size

4.1MB
MD5

f3f1ea24c7557fd69b44b32d848b7aa6
SHA1

f18c7bcbb3231c8147bb799f2e8d1b46bcf30acb
SHA256

95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1
SHA512

7b32346d7bb6fe4465b611e3b615a9a9061d767c4fe67136f988902f0a8e6d694a0d5e2459719387345f8704ac39b6807ae7e58921011c9add028633bc23a710
SSDEEP

98304:kl9GTbLtL99uWlQGfUFGGhNMfnjCzwWu2csDCx3z+tX:JT3oWlQMUAMlWxj+tX

Score

10^/10

glupteba dropper evasion execution loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 4 IoCs

resource	yara_rule
behavioral2/memory/5104-2-0x0000000002E30000-0x000000000371B000-memory.dmp	family_glupteba
behavioral2/memory/5104-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5104-96-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5104-98-0x0000000002E30000-0x000000000371B000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1192	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
1348	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
File created	C:\Windows\rss\csrss.exe	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
236	powershell.exe
2864	powershell.exe
3004	powershell.exe
2280	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3004	powershell.exe
3004	powershell.exe
5104	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
5104	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
2280	powershell.exe
2280	powershell.exe
3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
236	powershell.exe
236	powershell.exe
2864	powershell.exe
2864	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	5104	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Token: SeImpersonatePrivilege	5104	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	236	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3004	5104	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	82
PID 5104 wrote to memory of 3004	5104	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	82
PID 5104 wrote to memory of 3004	5104	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	82
PID 3316 wrote to memory of 2280	3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	87
PID 3316 wrote to memory of 2280	3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	87
PID 3316 wrote to memory of 2280	3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	87
PID 3316 wrote to memory of 5084	3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	89
PID 3316 wrote to memory of 5084	3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	89
PID 5084 wrote to memory of 1192	5084	cmd.exe	91
PID 5084 wrote to memory of 1192	5084	cmd.exe	91
PID 3316 wrote to memory of 236	3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	92
PID 3316 wrote to memory of 236	3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	92
PID 3316 wrote to memory of 236	3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	92
PID 3316 wrote to memory of 2864	3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	94
PID 3316 wrote to memory of 2864	3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	94
PID 3316 wrote to memory of 2864	3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	94
PID 3316 wrote to memory of 1348	3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	96
PID 3316 wrote to memory of 1348	3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	96
PID 3316 wrote to memory of 1348	3316	95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe	96

C:\Users\Admin\AppData\Local\Temp\95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
"C:\Users\Admin\AppData\Local\Temp\95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe
  "C:\Users\Admin\AppData\Local\Temp\95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1192
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:236
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dkcb0yp1.5a1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c951c79a2ae10d7a0752916e2070186e

SHA1
2684429dfa2a749e98fe257f32260e354de1b1b1

SHA256
1a54805b48878d93a59f69e287c54d6f35d091515531dab1133b3659f189fdf5

SHA512
eda92de22080f888f90459272c29a4e8af59254b516d25020ee0a7918a9b610bf4330921f4fcc886292b57a832101cfa6442554ecf30dd50544be12bc89af617

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
28acbd7a0b571467e295018381333868

SHA1
fb0b599a074c801914331e8277fca37c1e38ae8e

SHA256
0b367a5d21e56464c178ba89303ae05d9c829c81f995c2749902195c8341a1b9

SHA512
cc26fb71eca6992533dc71d3fc9f0b40df335d7d1b057e1f48703bb845b4cf38994569e1e7fa0eab1c246793c1a46342c4b9899fa3c9ca9aa79219afc6c1d682

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f3f1ea24c7557fd69b44b32d848b7aa6

SHA1
f18c7bcbb3231c8147bb799f2e8d1b46bcf30acb

SHA256
95d1a8a93f18e1da9b7dc25215409c2c7244cef17a9c7ab5c7bfa5c4cb7611c1

SHA512
7b32346d7bb6fe4465b611e3b615a9a9061d767c4fe67136f988902f0a8e6d694a0d5e2459719387345f8704ac39b6807ae7e58921011c9add028633bc23a710

Download Submit
memory/236-87-0x0000000070880000-0x0000000070BD7000-memory.dmp

Filesize
3.3MB

Download
memory/236-86-0x0000000070700000-0x000000007074C000-memory.dmp

Filesize
304KB

Download
memory/2280-73-0x0000000007860000-0x0000000007875000-memory.dmp

Filesize
84KB

Download
memory/2280-62-0x0000000070880000-0x0000000070BD7000-memory.dmp

Filesize
3.3MB

Download
memory/2280-72-0x0000000007810000-0x0000000007821000-memory.dmp

Filesize
68KB

Download
memory/2280-71-0x0000000007500000-0x00000000075A4000-memory.dmp

Filesize
656KB

Download
memory/2280-61-0x0000000070700000-0x000000007074C000-memory.dmp

Filesize
304KB

Download
memory/2864-109-0x0000000070700000-0x000000007074C000-memory.dmp

Filesize
304KB

Download
memory/2864-110-0x0000000070880000-0x0000000070BD7000-memory.dmp

Filesize
3.3MB

Download
memory/3004-20-0x0000000005B10000-0x0000000005E67000-memory.dmp

Filesize
3.3MB

Download
memory/3004-47-0x00000000076B0000-0x00000000076B8000-memory.dmp

Filesize
32KB

Download
memory/3004-25-0x0000000070700000-0x000000007074C000-memory.dmp

Filesize
304KB

Download
memory/3004-26-0x0000000070880000-0x0000000070BD7000-memory.dmp

Filesize
3.3MB

Download
memory/3004-35-0x0000000007440000-0x000000000745E000-memory.dmp

Filesize
120KB

Download
memory/3004-37-0x0000000074490000-0x0000000074C41000-memory.dmp

Filesize
7.7MB

Download
memory/3004-36-0x0000000007460000-0x0000000007504000-memory.dmp

Filesize
656KB

Download
memory/3004-24-0x00000000073E0000-0x0000000007414000-memory.dmp

Filesize
208KB

Download
memory/3004-38-0x0000000074490000-0x0000000074C41000-memory.dmp

Filesize
7.7MB

Download
memory/3004-39-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/3004-40-0x0000000007580000-0x000000000759A000-memory.dmp

Filesize
104KB

Download
memory/3004-41-0x00000000075C0000-0x00000000075CA000-memory.dmp

Filesize
40KB

Download
memory/3004-42-0x00000000076D0000-0x0000000007766000-memory.dmp

Filesize
600KB

Download
memory/3004-43-0x00000000075E0000-0x00000000075F1000-memory.dmp

Filesize
68KB

Download
memory/3004-44-0x0000000007630000-0x000000000763E000-memory.dmp

Filesize
56KB

Download
memory/3004-45-0x0000000007640000-0x0000000007655000-memory.dmp

Filesize
84KB

Download
memory/3004-46-0x0000000007690000-0x00000000076AA000-memory.dmp

Filesize
104KB

Download
memory/3004-23-0x0000000006410000-0x0000000006456000-memory.dmp

Filesize
280KB

Download
memory/3004-50-0x0000000074490000-0x0000000074C41000-memory.dmp

Filesize
7.7MB

Download
memory/3004-4-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/3004-22-0x0000000006020000-0x000000000606C000-memory.dmp

Filesize
304KB

Download
memory/3004-21-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

Filesize
120KB

Download
memory/3004-5-0x0000000002B30000-0x0000000002B66000-memory.dmp

Filesize
216KB

Download
memory/3004-10-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/3004-11-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/3004-9-0x0000000005990000-0x00000000059B2000-memory.dmp

Filesize
136KB

Download
memory/3004-8-0x0000000074490000-0x0000000074C41000-memory.dmp

Filesize
7.7MB

Download
memory/3004-7-0x0000000074490000-0x0000000074C41000-memory.dmp

Filesize
7.7MB

Download
memory/3004-6-0x0000000005360000-0x000000000598A000-memory.dmp

Filesize
6.2MB

Download
memory/3316-52-0x0000000002A40000-0x0000000002E42000-memory.dmp

Filesize
4.0MB

Download
memory/5104-96-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5104-98-0x0000000002E30000-0x000000000371B000-memory.dmp

Filesize
8.9MB

Download
memory/5104-97-0x0000000002A20000-0x0000000002E24000-memory.dmp

Filesize
4.0MB

Download
memory/5104-1-0x0000000002A20000-0x0000000002E24000-memory.dmp

Filesize
4.0MB

Download
memory/5104-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5104-2-0x0000000002E30000-0x000000000371B000-memory.dmp

Filesize
8.9MB

Download