glupteba | 4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf

Analysis

max time kernel
6s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Size

4.1MB
MD5

5d17844c9a1fcee8877929627b5602ff
SHA1

c5c43db67b05d6c3ba6ebec78e4d9068066cd308
SHA256

4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf
SHA512

a315f1ea29f6f67809cf18fc519e8ea34d8a806fef94b5be1bb9f6fafd4eb078e5cc91873b953c46ae90831924e25849a92c39a1b5109f2eee92279f0e0b99c7
SSDEEP

98304:sX33DbWGkLHuFK+TwQmBC6reQ4TTNXYvI8KgvjrB0rs:sXPWAwQyCdJYw8Kggs

Score

10^/10

glupteba dropper evasion execution loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 17 IoCs

resource	yara_rule
behavioral1/memory/3372-2-0x00000000048D0000-0x00000000051BB000-memory.dmp	family_glupteba
behavioral1/memory/3372-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3372-57-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3372-58-0x00000000048D0000-0x00000000051BB000-memory.dmp	family_glupteba
behavioral1/memory/3372-55-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/3808-175-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/2180-220-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/2180-231-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/2180-235-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/2180-237-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/2180-240-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/2180-243-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/2180-246-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/2180-250-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/2180-252-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/2180-255-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/2180-258-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
748	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000234bb-224.dat	upx
behavioral1/memory/4072-226-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2804-228-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/4072-230-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2804-233-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2804-239-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4188	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4196	powershell.exe
2420	powershell.exe
3124	powershell.exe
2276	powershell.exe
3968	powershell.exe
3188	powershell.exe
3076	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1932	schtasks.exe
4836	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3124	powershell.exe
3124	powershell.exe
3372	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
3372	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
2276	powershell.exe
2276	powershell.exe
2276	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	3372	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Token: SeImpersonatePrivilege	3372	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
Token: SeDebugPrivilege	2276	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 3124	3372	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe	87
PID 3372 wrote to memory of 3124	3372	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe	87
PID 3372 wrote to memory of 3124	3372	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe	87
PID 3808 wrote to memory of 2276	3808	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe	96
PID 3808 wrote to memory of 2276	3808	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe	96
PID 3808 wrote to memory of 2276	3808	4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe	96

C:\Users\Admin\AppData\Local\Temp\4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
"C:\Users\Admin\AppData\Local\Temp\4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\Users\Admin\AppData\Local\Temp\4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe
  "C:\Users\Admin\AppData\Local\Temp\4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:1336
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3188
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:2180
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3076
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1932
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4196
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:3000
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4836
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:4072
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:4256
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:4188

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_luvvucrl.4ic.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7763ae65f0cd970101f211cb3b7dd0ca

SHA1
53f0388a72ff6840995d02fb662b7084f32116ec

SHA256
411942904df6dab8628ad0e8e5cde757d3b5f297da40aaad90435469ce597f2b

SHA512
b0b00e95e7253501f570935bd7abc7d3049f5fb69e8d36823bc86cb172eacef67a71606cc0ce225d7f0114e7449ad87b513a41386b9e62af3637ec33ffe8d6fd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
001e472737afd2e4aa0efe75ade477ee

SHA1
8c25c73d1b46a54efd68091f369bd8c999f1d368

SHA256
21ec05cd0ca7e6ae0febed548d088986e38fd2f95a2a6607c50078734df4d3ab

SHA512
e874c0dbc4c828bccb5c0aad62239322a5a4359f89ae2acfdfbf44eefe52d8ffbee82203aef1ed7855f39bb2373305962171523c95d24ad4b34dc36c44f7b463

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
459e15c2907b8133453ff8281335609e

SHA1
b4e0c83e6060a77b878976e312f3885e888b33ed

SHA256
f33b5422fa18163a0ee45838616630f7eb9c6dc6ca00c177d9aaedf84074214a

SHA512
380ef42c12ceb8deec6d703ee4cf9b91f54021bca9c8c3bdb13607cfa138899c60a38b5d7cbf5744018b63a5a4643442c036e6331197f22fc704024d579d74c3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
a0cd11b59c33623f0b4f68ccbe605325

SHA1
a2bbd15b22e029c64135ed9419901bdd249bd5a0

SHA256
c6607bc6399c8073142246b91e88ae1023353b7333e4c782d48963b96ce32f2f

SHA512
64de780b36265d9cc3839031c8e193627628bff28e4003aa7b3eb2ce0b000f38b85aa8887393ba593b9c90a27b83b1ed274ea59b918c69f999b0dbe6b14053de

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7b557e482c5fc6b47e5de54f3d63b7c3

SHA1
92822dde578aeafe2efee1dc4d48cf49e349425e

SHA256
e57881fb4f067084449f1c2eb6c4861803944cab50470d7403b46316ae27c086

SHA512
0bd2ab1f3cafd891fda9367449fcc0683ab2124c82818af32a818c7bbb6844fc1bf25241096c2478640d3195182da04f9c48148217d5c21207a26f617d4f4274

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
5d17844c9a1fcee8877929627b5602ff

SHA1
c5c43db67b05d6c3ba6ebec78e4d9068066cd308

SHA256
4b1f7a21d63f7e7088eca3efb92986838b20fbd702ea041b5041f000f05eabaf

SHA512
a315f1ea29f6f67809cf18fc519e8ea34d8a806fef94b5be1bb9f6fafd4eb078e5cc91873b953c46ae90831924e25849a92c39a1b5109f2eee92279f0e0b99c7

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/2180-243-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2180-252-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2180-237-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2180-235-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2180-265-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2180-231-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2180-261-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2180-240-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2180-220-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2180-246-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2180-258-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2180-255-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2180-250-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2276-69-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

Filesize
304KB

Download
memory/2276-70-0x00000000707B0000-0x00000000707FC000-memory.dmp

Filesize
304KB

Download
memory/2276-82-0x00000000074A0000-0x00000000074B1000-memory.dmp

Filesize
68KB

Download
memory/2276-59-0x0000000005910000-0x0000000005C64000-memory.dmp

Filesize
3.3MB

Download
memory/2276-83-0x00000000074F0000-0x0000000007504000-memory.dmp

Filesize
80KB

Download
memory/2276-71-0x0000000070F40000-0x0000000071294000-memory.dmp

Filesize
3.3MB

Download
memory/2276-81-0x0000000006F60000-0x0000000007003000-memory.dmp

Filesize
652KB

Download
memory/2420-197-0x00000000056F0000-0x0000000005A44000-memory.dmp

Filesize
3.3MB

Download
memory/2420-203-0x0000000070630000-0x000000007067C000-memory.dmp

Filesize
304KB

Download
memory/2420-204-0x0000000070810000-0x0000000070B64000-memory.dmp

Filesize
3.3MB

Download
memory/2804-239-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2804-228-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2804-233-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3076-146-0x0000000006070000-0x00000000063C4000-memory.dmp

Filesize
3.3MB

Download
memory/3076-148-0x0000000006550000-0x000000000659C000-memory.dmp

Filesize
304KB

Download
memory/3076-150-0x0000000070890000-0x0000000070BE4000-memory.dmp

Filesize
3.3MB

Download
memory/3076-160-0x0000000007780000-0x0000000007823000-memory.dmp

Filesize
652KB

Download
memory/3076-149-0x0000000070710000-0x000000007075C000-memory.dmp

Filesize
304KB

Download
memory/3076-161-0x0000000007920000-0x0000000007931000-memory.dmp

Filesize
68KB

Download
memory/3076-162-0x0000000005D50000-0x0000000005D64000-memory.dmp

Filesize
80KB

Download
memory/3124-42-0x0000000007A30000-0x0000000007AD3000-memory.dmp

Filesize
652KB

Download
memory/3124-24-0x00000000067E0000-0x0000000006824000-memory.dmp

Filesize
272KB

Download
memory/3124-4-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/3124-5-0x0000000002E60000-0x0000000002E96000-memory.dmp

Filesize
216KB

Download
memory/3124-7-0x0000000005650000-0x0000000005C78000-memory.dmp

Filesize
6.2MB

Download
memory/3124-6-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3124-8-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3124-54-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3124-9-0x0000000005490000-0x00000000054B2000-memory.dmp

Filesize
136KB

Download
memory/3124-10-0x0000000005D70000-0x0000000005DD6000-memory.dmp

Filesize
408KB

Download
memory/3124-51-0x0000000007BD0000-0x0000000007BD8000-memory.dmp

Filesize
32KB

Download
memory/3124-50-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

Filesize
104KB

Download
memory/3124-49-0x0000000007B90000-0x0000000007BA4000-memory.dmp

Filesize
80KB

Download
memory/3124-48-0x0000000007B70000-0x0000000007B7E000-memory.dmp

Filesize
56KB

Download
memory/3124-47-0x0000000007B30000-0x0000000007B41000-memory.dmp

Filesize
68KB

Download
memory/3124-45-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3124-46-0x0000000007C30000-0x0000000007CC6000-memory.dmp

Filesize
600KB

Download
memory/3124-44-0x0000000007B20000-0x0000000007B2A000-memory.dmp

Filesize
40KB

Download
memory/3124-43-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3124-11-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/3124-36-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3124-21-0x0000000005F50000-0x00000000062A4000-memory.dmp

Filesize
3.3MB

Download
memory/3124-22-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/3124-23-0x0000000006490000-0x00000000064DC000-memory.dmp

Filesize
304KB

Download
memory/3124-25-0x0000000007570000-0x00000000075E6000-memory.dmp

Filesize
472KB

Download
memory/3124-27-0x0000000007810000-0x000000000782A000-memory.dmp

Filesize
104KB

Download
memory/3124-26-0x0000000007E70000-0x00000000084EA000-memory.dmp

Filesize
6.5MB

Download
memory/3124-28-0x00000000079D0000-0x0000000007A02000-memory.dmp

Filesize
200KB

Download
memory/3124-30-0x0000000070830000-0x0000000070B84000-memory.dmp

Filesize
3.3MB

Download
memory/3124-41-0x0000000007A10000-0x0000000007A2E000-memory.dmp

Filesize
120KB

Download
memory/3124-29-0x00000000706B0000-0x00000000706FC000-memory.dmp

Filesize
304KB

Download
memory/3188-120-0x00000000707B0000-0x00000000707FC000-memory.dmp

Filesize
304KB

Download
memory/3188-121-0x0000000070F40000-0x0000000071294000-memory.dmp

Filesize
3.3MB

Download
memory/3372-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3372-2-0x00000000048D0000-0x00000000051BB000-memory.dmp

Filesize
8.9MB

Download
memory/3372-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3372-58-0x00000000048D0000-0x00000000051BB000-memory.dmp

Filesize
8.9MB

Download
memory/3372-1-0x00000000044C0000-0x00000000048C1000-memory.dmp

Filesize
4.0MB

Download
memory/3372-55-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3808-175-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3968-98-0x00000000707B0000-0x00000000707FC000-memory.dmp

Filesize
304KB

Download
memory/3968-96-0x0000000005790000-0x0000000005AE4000-memory.dmp

Filesize
3.3MB

Download
memory/3968-99-0x0000000070930000-0x0000000070C84000-memory.dmp

Filesize
3.3MB

Download
memory/4072-230-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4072-226-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4196-178-0x0000000070E00000-0x0000000071154000-memory.dmp

Filesize
3.3MB

Download
memory/4196-173-0x00000000061C0000-0x0000000006514000-memory.dmp

Filesize
3.3MB

Download
memory/4196-176-0x0000000006E50000-0x0000000006E9C000-memory.dmp

Filesize
304KB

Download
memory/4196-177-0x0000000070630000-0x000000007067C000-memory.dmp

Filesize
304KB

Download
memory/4196-188-0x0000000007B90000-0x0000000007C33000-memory.dmp

Filesize
652KB

Download
memory/4196-189-0x0000000007E80000-0x0000000007E91000-memory.dmp

Filesize
68KB

Download
memory/4196-190-0x00000000066E0000-0x00000000066F4000-memory.dmp

Filesize
80KB

Download