glupteba | 096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Size

4.1MB
MD5

05c1758991956b63426592ffa8eb7442
SHA1

526e8e7561c05bb3aabf04c70f66c7cb306e5c45
SHA256

096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f
SHA512

a5e873a7df5614bac8433bd23397ab1c83576e1df2f6a6633cea2edc0e67dd1b0cdbf4594c923ad0b8f04e29fc43b12afdc0eedd1a834972eda2fea6e0769ad8
SSDEEP

98304:vQx32Mq02zAeaet/0/YHlEVnWsL/fnVsJseCa8CK6QwXNx08FC:4x32Mq02zAeLCVnWszfVfeCa8CLXv/E

Score

10^/10

glupteba dropper evasion execution loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 13 IoCs

resource	yara_rule
behavioral2/memory/1600-2-0x0000000004DB0000-0x000000000569B000-memory.dmp	family_glupteba
behavioral2/memory/1600-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1600-4-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1600-6-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1600-12-0x0000000004DB0000-0x000000000569B000-memory.dmp	family_glupteba
behavioral2/memory/1600-13-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1600-58-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1600-66-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1600-64-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4704-67-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4704-95-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4704-120-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4704-149-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4756	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
3448	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
File created	C:\Windows\rss\csrss.exe	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2900	powershell.exe
3308	powershell.exe
2356	powershell.exe
3464	powershell.exe
556	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1528	4704	WerFault.exe	104

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
1600	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
1600	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
3308	powershell.exe
3308	powershell.exe
3308	powershell.exe
4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
2356	powershell.exe
2356	powershell.exe
2356	powershell.exe
3464	powershell.exe
3464	powershell.exe
3464	powershell.exe
556	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	1600	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Token: SeImpersonatePrivilege	1600	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2900	1600	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	100
PID 1600 wrote to memory of 2900	1600	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	100
PID 1600 wrote to memory of 2900	1600	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	100
PID 4704 wrote to memory of 3308	4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	105
PID 4704 wrote to memory of 3308	4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	105
PID 4704 wrote to memory of 3308	4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	105
PID 4704 wrote to memory of 640	4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	107
PID 4704 wrote to memory of 640	4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	107
PID 640 wrote to memory of 4756	640	cmd.exe	109
PID 640 wrote to memory of 4756	640	cmd.exe	109
PID 4704 wrote to memory of 2356	4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	110
PID 4704 wrote to memory of 2356	4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	110
PID 4704 wrote to memory of 2356	4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	110
PID 4704 wrote to memory of 3464	4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	112
PID 4704 wrote to memory of 3464	4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	112
PID 4704 wrote to memory of 3464	4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	112
PID 4704 wrote to memory of 3448	4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	114
PID 4704 wrote to memory of 3448	4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	114
PID 4704 wrote to memory of 3448	4704	096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe	114
PID 3448 wrote to memory of 556	3448	csrss.exe	118
PID 3448 wrote to memory of 556	3448	csrss.exe	118
PID 3448 wrote to memory of 556	3448	csrss.exe	118

C:\Users\Admin\AppData\Local\Temp\096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
"C:\Users\Admin\AppData\Local\Temp\096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f.bin.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3464
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 472
    3⤵
    - Program crash
    PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4704 -ip 4704
1⤵
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ikgsn2sm.khm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
4055372a25aef00f6efbcdf2bca16555

SHA1
12316fef633a579e6146c065c473c7fde227d9ab

SHA256
0e16e0f43a255cafd590bbd343814e6d5f9f22104514150e9747669d406d4dba

SHA512
f4067500eaf0735e84c01fa7e6ff14634bbb14a82a97cf36c5aad32cbf84192948fdae36257f9504ad9b9d16be3d8f7c2d0b3e4b217b1104d7c7baaf98a9c508

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6322f5dc254b62cf814d91118e148d7d

SHA1
853920a12581cb1a1fb7346a125d853505782c5d

SHA256
b5f4638795cf53e2452abc708f3164e224f070dd69249c74c213d46a98fd8033

SHA512
0d7b762c0bd9e9491f2a0a8f00f665b736e0db6636ad7e313c416ca1944800bbe2a1fb9917f5c05ce23aab6d51ee0384271ca0f20e5dd050ff8760cb1e59b4de

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
41cff324179ab46e16e6d85287005f35

SHA1
44f1e06392e210c93d30634f7fa57ba71d55513e

SHA256
2c3d33f3efd032f5aace2dafaaa682be91c54fe452d8acc95005c92e62115957

SHA512
7104ac40df32f066072c562298e9a674d935713d2fa23c0c32c70aa9b2e179ab447f4347c2010132df6914dff0051cd825b97cd7788b92f62cf824977f4c9a75

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
05c1758991956b63426592ffa8eb7442

SHA1
526e8e7561c05bb3aabf04c70f66c7cb306e5c45

SHA256
096d713534ca21ee4570ca48be0d00d2d49a057466c295885ae1710defed168f

SHA512
a5e873a7df5614bac8433bd23397ab1c83576e1df2f6a6633cea2edc0e67dd1b0cdbf4594c923ad0b8f04e29fc43b12afdc0eedd1a834972eda2fea6e0769ad8

Download Submit
memory/556-162-0x0000000006210000-0x000000000625C000-memory.dmp

Filesize
304KB

Download
memory/556-157-0x00000000058E0000-0x0000000005C34000-memory.dmp

Filesize
3.3MB

Download
memory/1600-6-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1600-1-0x00000000049A0000-0x0000000004DA4000-memory.dmp

Filesize
4.0MB

Download
memory/1600-12-0x0000000004DB0000-0x000000000569B000-memory.dmp

Filesize
8.9MB

Download
memory/1600-9-0x00000000049A0000-0x0000000004DA4000-memory.dmp

Filesize
4.0MB

Download
memory/1600-4-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1600-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1600-58-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1600-66-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1600-2-0x0000000004DB0000-0x000000000569B000-memory.dmp

Filesize
8.9MB

Download
memory/1600-64-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1600-13-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2356-104-0x00000000057B0000-0x0000000005B04000-memory.dmp

Filesize
3.3MB

Download
memory/2356-108-0x00000000700B0000-0x00000000700FC000-memory.dmp

Filesize
304KB

Download
memory/2356-109-0x0000000070870000-0x0000000070BC4000-memory.dmp

Filesize
3.3MB

Download
memory/2900-54-0x0000000007990000-0x00000000079A1000-memory.dmp

Filesize
68KB

Download
memory/2900-16-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/2900-35-0x0000000007CD0000-0x000000000834A000-memory.dmp

Filesize
6.5MB

Download
memory/2900-36-0x0000000007670000-0x000000000768A000-memory.dmp

Filesize
104KB

Download
memory/2900-38-0x000000006FFB0000-0x000000006FFFC000-memory.dmp

Filesize
304KB

Download
memory/2900-39-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/2900-37-0x0000000007850000-0x0000000007882000-memory.dmp

Filesize
200KB

Download
memory/2900-40-0x0000000070130000-0x0000000070484000-memory.dmp

Filesize
3.3MB

Download
memory/2900-50-0x0000000007830000-0x000000000784E000-memory.dmp

Filesize
120KB

Download
memory/2900-51-0x0000000007890000-0x0000000007933000-memory.dmp

Filesize
652KB

Download
memory/2900-52-0x0000000007980000-0x000000000798A000-memory.dmp

Filesize
40KB

Download
memory/2900-53-0x0000000007A90000-0x0000000007B26000-memory.dmp

Filesize
600KB

Download
memory/2900-33-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/2900-55-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/2900-56-0x00000000079D0000-0x00000000079DE000-memory.dmp

Filesize
56KB

Download
memory/2900-57-0x00000000079F0000-0x0000000007A04000-memory.dmp

Filesize
80KB

Download
memory/2900-31-0x00000000067D0000-0x0000000006814000-memory.dmp

Filesize
272KB

Download
memory/2900-59-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/2900-60-0x0000000007A20000-0x0000000007A28000-memory.dmp

Filesize
32KB

Download
memory/2900-63-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/2900-30-0x000000007411E000-0x000000007411F000-memory.dmp

Filesize
4KB

Download
memory/2900-29-0x0000000006350000-0x000000000639C000-memory.dmp

Filesize
304KB

Download
memory/2900-5-0x000000007411E000-0x000000007411F000-memory.dmp

Filesize
4KB

Download
memory/2900-7-0x0000000002C40000-0x0000000002C76000-memory.dmp

Filesize
216KB

Download
memory/2900-8-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/2900-10-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/2900-11-0x0000000005340000-0x0000000005968000-memory.dmp

Filesize
6.2MB

Download
memory/2900-15-0x0000000005A70000-0x0000000005A92000-memory.dmp

Filesize
136KB

Download
memory/2900-34-0x0000000007550000-0x00000000075C6000-memory.dmp

Filesize
472KB

Download
memory/2900-17-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/2900-23-0x0000000005CE0000-0x0000000006034000-memory.dmp

Filesize
3.3MB

Download
memory/2900-28-0x0000000005C20000-0x0000000005C3E000-memory.dmp

Filesize
120KB

Download
memory/3308-80-0x0000000070850000-0x0000000070BA4000-memory.dmp

Filesize
3.3MB

Download
memory/3308-91-0x0000000007D80000-0x0000000007D91000-memory.dmp

Filesize
68KB

Download
memory/3308-90-0x0000000007A20000-0x0000000007AC3000-memory.dmp

Filesize
652KB

Download
memory/3308-92-0x0000000007DD0000-0x0000000007DE4000-memory.dmp

Filesize
80KB

Download
memory/3308-73-0x0000000006210000-0x0000000006564000-memory.dmp

Filesize
3.3MB

Download
memory/3308-78-0x0000000006D20000-0x0000000006D6C000-memory.dmp

Filesize
304KB

Download
memory/3308-79-0x00000000700B0000-0x00000000700FC000-memory.dmp

Filesize
304KB

Download
memory/3464-133-0x0000000070230000-0x0000000070584000-memory.dmp

Filesize
3.3MB

Download
memory/3464-132-0x00000000700B0000-0x00000000700FC000-memory.dmp

Filesize
304KB

Download
memory/3464-130-0x00000000062E0000-0x0000000006634000-memory.dmp

Filesize
3.3MB

Download
memory/4704-120-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4704-149-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4704-95-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4704-67-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download