glupteba | 9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6

Analysis

max time kernel
147s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Size

4.1MB
MD5

e59b7db2feafff7bdbc8f43c93aa2656
SHA1

c880c19367fe2680be08ffd44fd7337f3a8eb8f8
SHA256

9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6
SHA512

5e34f5c4dc7f62ef8370f78cb9632f7248fa245cbdec13568b326bb4e4d08c1e4d986da753543e38798fafa478bd1ebafae147f1e9049fca74fcd4d5416f2d85
SSDEEP

98304:zmSOHuT7egJLhRTCVEkOCdqjiWtSbuAFmh92S:z0ObLh9WfG/tSdeR

Score

10^/10

glupteba dropper evasion execution loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 14 IoCs

resource	yara_rule
behavioral1/memory/1152-2-0x00000000049C0000-0x00000000052AB000-memory.dmp	family_glupteba
behavioral1/memory/1152-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1152-4-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral1/memory/1152-10-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral1/memory/1152-13-0x00000000049C0000-0x00000000052AB000-memory.dmp	family_glupteba
behavioral1/memory/1152-23-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1152-42-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral1/memory/1152-60-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral1/memory/1152-71-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral1/memory/1152-96-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral1/memory/3304-99-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral1/memory/3304-115-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral1/memory/3304-153-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral1/memory/3304-158-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4388	netsh.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
636	powershell.exe
2076	powershell.exe
736	powershell.exe
2932	powershell.exe
2456	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
636	powershell.exe
636	powershell.exe
636	powershell.exe
1152	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
1152	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
2076	powershell.exe
2076	powershell.exe
3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
736	powershell.exe
736	powershell.exe
2932	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	1152	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Token: SeImpersonatePrivilege	1152	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 636	1152	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe	90
PID 1152 wrote to memory of 636	1152	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe	90
PID 1152 wrote to memory of 636	1152	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe	90
PID 3304 wrote to memory of 2076	3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe	103
PID 3304 wrote to memory of 2076	3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe	103
PID 3304 wrote to memory of 2076	3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe	103
PID 3304 wrote to memory of 4428	3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe	105
PID 3304 wrote to memory of 4428	3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe	105
PID 4428 wrote to memory of 4388	4428	cmd.exe	107
PID 4428 wrote to memory of 4388	4428	cmd.exe	107
PID 3304 wrote to memory of 736	3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe	108
PID 3304 wrote to memory of 736	3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe	108
PID 3304 wrote to memory of 736	3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe	108
PID 3304 wrote to memory of 2932	3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe	110
PID 3304 wrote to memory of 2932	3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe	110
PID 3304 wrote to memory of 2932	3304	9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe	110

C:\Users\Admin\AppData\Local\Temp\9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
"C:\Users\Admin\AppData\Local\Temp\9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Users\Admin\AppData\Local\Temp\9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe
  "C:\Users\Admin\AppData\Local\Temp\9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6.exe"
  2⤵
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:736
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:1772
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4spwqddt.bh0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
50f4bce3ba69663a9069e1d9bba15fc7

SHA1
46aea6162010e4d73035a0f7ea977e199eb78ccf

SHA256
6e79c7cced50d85fa98bc38dfa45d2e87b64c26e38012410854420f384c98cec

SHA512
75637bb97b42fe38df81f05c1a1f40b46fb67892abee06ce7a9a73acf4d1652075a87b0e6edf239fa99662ffa55b515bc8a110e772c69bdd77c467a1fe7b75c3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7ac55eaf5aca2d5a96ee3bfb7ac06d54

SHA1
2fe2b0a201f84bafbc39a61962531ca809986698

SHA256
1e8d1049d3d59f274bd50af83d83eed9c0124668ad22e56ad5476025a6855166

SHA512
1c463e0abb9f7452214fd72520796ea7d023ab5005a1c5f5ccf4fd06874217c2b18ac82a1dae3899bb7483b0f77b93837b4ad33b47838cb0d9863a833bda1ac4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
d6fd9344cb883fc7890a4c0bc047ebe3

SHA1
7d40b96bf484148767a7d860f13b9759d747612a

SHA256
e79d2a35f09dddb323216f79158f8435d08b32f09bfcd13d80b3c59e05ba79e0

SHA512
b4f11199d355da5e753d4cd4f96471b655a6caa3eb3923826076defb26948f6abbba5b73e577bbc7b00e81bde938895af018df72237d35c8eec485ffb79d330a

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
e59b7db2feafff7bdbc8f43c93aa2656

SHA1
c880c19367fe2680be08ffd44fd7337f3a8eb8f8

SHA256
9f30f3399edea44909a53bb0761b1d3c68dce9171aab5a3e920a5a7e2899c2c6

SHA512
5e34f5c4dc7f62ef8370f78cb9632f7248fa245cbdec13568b326bb4e4d08c1e4d986da753543e38798fafa478bd1ebafae147f1e9049fca74fcd4d5416f2d85

Download Submit
memory/636-57-0x00000000073A0000-0x0000000007443000-memory.dmp

Filesize
652KB

Download
memory/636-39-0x0000000007070000-0x00000000070E6000-memory.dmp

Filesize
472KB

Download
memory/636-9-0x0000000004F20000-0x0000000005548000-memory.dmp

Filesize
6.2MB

Download
memory/636-61-0x0000000007540000-0x00000000075D6000-memory.dmp

Filesize
600KB

Download
memory/636-67-0x00000000009A0000-0x00000000009BA000-memory.dmp

Filesize
104KB

Download
memory/636-12-0x0000000004C70000-0x0000000004C92000-memory.dmp

Filesize
136KB

Download
memory/636-66-0x0000000007520000-0x0000000007534000-memory.dmp

Filesize
80KB

Download
memory/636-14-0x0000000004E10000-0x0000000004E76000-memory.dmp

Filesize
408KB

Download
memory/636-15-0x0000000004E80000-0x0000000004EE6000-memory.dmp

Filesize
408KB

Download
memory/636-7-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/636-21-0x0000000005710000-0x0000000005A64000-memory.dmp

Filesize
3.3MB

Download
memory/636-5-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/636-29-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/636-62-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/636-31-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/636-32-0x0000000005D50000-0x0000000005D6E000-memory.dmp

Filesize
120KB

Download
memory/636-33-0x0000000005E20000-0x0000000005E6C000-memory.dmp

Filesize
304KB

Download
memory/636-35-0x0000000006250000-0x0000000006294000-memory.dmp

Filesize
272KB

Download
memory/636-38-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/636-68-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/636-40-0x00000000077F0000-0x0000000007E6A000-memory.dmp

Filesize
6.5MB

Download
memory/636-41-0x00000000071A0000-0x00000000071BA000-memory.dmp

Filesize
104KB

Download
memory/636-6-0x0000000002770000-0x00000000027A6000-memory.dmp

Filesize
216KB

Download
memory/636-43-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/636-44-0x0000000007360000-0x0000000007392000-memory.dmp

Filesize
200KB

Download
memory/636-45-0x00000000709A0000-0x00000000709EC000-memory.dmp

Filesize
304KB

Download
memory/636-46-0x0000000071140000-0x0000000071494000-memory.dmp

Filesize
3.3MB

Download
memory/636-56-0x0000000007110000-0x000000000712E000-memory.dmp

Filesize
120KB

Download
memory/636-73-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/636-59-0x0000000007490000-0x000000000749A000-memory.dmp

Filesize
40KB

Download
memory/636-8-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/636-72-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/636-30-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/636-63-0x0000000007320000-0x0000000007331000-memory.dmp

Filesize
68KB

Download
memory/636-65-0x0000000007350000-0x000000000735E000-memory.dmp

Filesize
56KB

Download
memory/736-116-0x00000000709A0000-0x00000000709EC000-memory.dmp

Filesize
304KB

Download
memory/736-117-0x0000000071140000-0x0000000071494000-memory.dmp

Filesize
3.3MB

Download
memory/1152-60-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/1152-42-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/1152-71-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/1152-1-0x00000000045B0000-0x00000000049B4000-memory.dmp

Filesize
4.0MB

Download
memory/1152-2-0x00000000049C0000-0x00000000052AB000-memory.dmp

Filesize
8.9MB

Download
memory/1152-10-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/1152-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1152-4-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/1152-96-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/1152-11-0x00000000045B0000-0x00000000049B4000-memory.dmp

Filesize
4.0MB

Download
memory/1152-13-0x00000000049C0000-0x00000000052AB000-memory.dmp

Filesize
8.9MB

Download
memory/1152-23-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2076-97-0x0000000007B30000-0x0000000007BD3000-memory.dmp

Filesize
652KB

Download
memory/2076-100-0x0000000007EC0000-0x0000000007ED4000-memory.dmp

Filesize
80KB

Download
memory/2076-84-0x0000000006350000-0x00000000066A4000-memory.dmp

Filesize
3.3MB

Download
memory/2076-98-0x0000000007E70000-0x0000000007E81000-memory.dmp

Filesize
68KB

Download
memory/2076-85-0x00000000709A0000-0x00000000709EC000-memory.dmp

Filesize
304KB

Download
memory/2076-86-0x0000000071120000-0x0000000071474000-memory.dmp

Filesize
3.3MB

Download
memory/2456-168-0x0000000006480000-0x00000000067D4000-memory.dmp

Filesize
3.3MB

Download
memory/2932-139-0x00000000709A0000-0x00000000709EC000-memory.dmp

Filesize
304KB

Download
memory/2932-140-0x0000000070B40000-0x0000000070E94000-memory.dmp

Filesize
3.3MB

Download
memory/2932-137-0x0000000005FC0000-0x0000000006314000-memory.dmp

Filesize
3.3MB

Download
memory/3304-153-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3304-158-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3304-115-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3304-99-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download