glupteba | 5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe

Analysis

max time kernel
5s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Size

4.1MB
MD5

1d35f09e0200f704c353ff86e41ae598
SHA1

1b23fcf206682e25b717282bfecaa37647a8a27f
SHA256

5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe
SHA512

73989621781b01977e41eed7328d8204846a90e10d3ecbcdf9eafb60183253508b8ddfd6338b5eedf47b81417949113b969177a094f2af5402fefd48ac0230f7
SSDEEP

98304:r7sgfTqZm7fywQIpjGUn+cmloZHued8miXbTsPufBvNZ:rzgmDywQg+foZ8mw6Sv

Score

10^/10

glupteba dropper evasion execution loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4440-2-0x0000000004930000-0x000000000521B000-memory.dmp	family_glupteba
behavioral1/memory/4440-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4440-105-0x0000000004930000-0x000000000521B000-memory.dmp	family_glupteba
behavioral1/memory/4440-144-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/4440-181-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4776-208-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/4632-215-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/4632-226-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/4632-230-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/4632-234-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/4632-238-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/4632-242-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/4632-246-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/4632-250-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/4632-254-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/4632-258-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/4632-262-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral1/memory/4632-266-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
2384	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x00080000000233f9-218.dat	upx
behavioral1/memory/1188-220-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1188-224-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/3444-223-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/3444-228-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/3444-236-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid	Process
4512	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1088	powershell.exe
3644	powershell.exe
3380	powershell.exe
3392	powershell.exe
4072	powershell.exe
1068	powershell.exe
2528	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
2424	schtasks.exe
2136	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe

pid	Process
1068	powershell.exe
1068	powershell.exe
4440	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
4440	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exe5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe

description	pid	Process
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	4440	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
Token: SeImpersonatePrivilege	4440	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe

description	pid	Process	procid_target
PID 4440 wrote to memory of 1068	4440	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe	84
PID 4440 wrote to memory of 1068	4440	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe	84
PID 4440 wrote to memory of 1068	4440	5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe	84

C:\Users\Admin\AppData\Local\Temp\5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
"C:\Users\Admin\AppData\Local\Temp\5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe
  "C:\Users\Admin\AppData\Local\Temp\5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe.exe"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2528
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:4284
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2384
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3644
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:4632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3380
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2424
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3392
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:3388
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2136
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:1188
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:4836
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:4512

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x5mqwqko.hrq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
8419901ecf7eebb1a7d3506b58d0afe1

SHA1
983d8fb926d7bbd5a7bee1dabbe7c1d5faf353c2

SHA256
44dadc0e592ad96295939e84f8e3de593a9ff6032af32ba70c8d57f298136d3f

SHA512
2bb43aa3fb16a6b6ee00f1dac826bcdb6fcd00e724fe14143adb058446eb880e589d115880eeddd509e7cb28bb15931d76fa6c7f97024d19e5b472e69e3bfd5d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f9bd8b1b52cda49a73a6c8ad584ed452

SHA1
708921dcea548e3105d638b8fda01a3194bf8576

SHA256
bfe3e950082643f6a056f037aa6fee8d8d8bb1d411147ffa5c8e55a2357bf488

SHA512
c720b3a19f418430e773c039d7b5a57a1ac0f1c10a2ef2cf668c190fc1f05ceff749694356e60ae65235b5b5fd89d1f3330c33e7b965266463200117d84ff80b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
295f08749cc760d1a58f9885c1bcfbbb

SHA1
fad0d5067bea6ab857fed2d3c0ba7a128cba9340

SHA256
6c3da88dfca71e6ff58f81628e3cc075bb6e1eb1a030c75ae6a6d15b439f6963

SHA512
dae78bee95530f992ed0e7b49c687c63407a98238e6ad26160001c3553631d8d227743d9fe2e0b100bb4c131ab9fe8e8991b76e2cde9f81d75945c2d3f77a0f2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c91496fcadb3c331823f1810ffc1d4ea

SHA1
683a86bb838734932309f0fb42dde63f5ef7ee0b

SHA256
3dd45341cf1495cff475b07df7e2b8db901eca50b38bbf7aed1ff275aa1d84e7

SHA512
a52e9c93d91a17f74dc30a634f43ccb8a282f397e9ee4013cf8cd8e2bb6af3898a36617189d9fbf3acd050bb3ccd77e578a1141b96808e0d0ebc89215eef4ad1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
0078673a6d9c995b65c5d8258c3c9a42

SHA1
0a505caef61b8f8a87c80f854352a3ac90909198

SHA256
98b0bae4ddf7b92dade87ef3962378fbd4a48d3770d1e13c44133b5f81c17514

SHA512
02e5a71fe209305b66bab9b617d322027a9ba31e075d597a139cf1f03fec0c2f2229fe18bf32b059184892aed3d9a2554b9764582ce836124fc61a9c400364cd

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
1d35f09e0200f704c353ff86e41ae598

SHA1
1b23fcf206682e25b717282bfecaa37647a8a27f

SHA256
5a202ed04f1254c2b5bef089059452ac378576a6603ffaa39d647113da29d3fe

SHA512
73989621781b01977e41eed7328d8204846a90e10d3ecbcdf9eafb60183253508b8ddfd6338b5eedf47b81417949113b969177a094f2af5402fefd48ac0230f7

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1068-30-0x00000000705C0000-0x0000000070914000-memory.dmp

Filesize
3.3MB

Download
memory/1068-45-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/1068-24-0x0000000006D60000-0x0000000006DA4000-memory.dmp

Filesize
272KB

Download
memory/1068-25-0x0000000007B00000-0x0000000007B76000-memory.dmp

Filesize
472KB

Download
memory/1068-27-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

Filesize
104KB

Download
memory/1068-26-0x0000000008200000-0x000000000887A000-memory.dmp

Filesize
6.5MB

Download
memory/1068-29-0x0000000070440000-0x000000007048C000-memory.dmp

Filesize
304KB

Download
memory/1068-31-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/1068-41-0x0000000007DA0000-0x0000000007DBE000-memory.dmp

Filesize
120KB

Download
memory/1068-42-0x0000000007DC0000-0x0000000007E63000-memory.dmp

Filesize
652KB

Download
memory/1068-22-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/1068-28-0x0000000007D60000-0x0000000007D92000-memory.dmp

Filesize
200KB

Download
memory/1068-43-0x0000000007EB0000-0x0000000007EBA000-memory.dmp

Filesize
40KB

Download
memory/1068-44-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/1068-46-0x0000000007FC0000-0x0000000008056000-memory.dmp

Filesize
600KB

Download
memory/1068-23-0x0000000006810000-0x000000000685C000-memory.dmp

Filesize
304KB

Download
memory/1068-47-0x0000000007EC0000-0x0000000007ED1000-memory.dmp

Filesize
68KB

Download
memory/1068-48-0x0000000007F00000-0x0000000007F0E000-memory.dmp

Filesize
56KB

Download
memory/1068-49-0x0000000007F20000-0x0000000007F34000-memory.dmp

Filesize
80KB

Download
memory/1068-51-0x0000000007F60000-0x0000000007F68000-memory.dmp

Filesize
32KB

Download
memory/1068-50-0x0000000007F70000-0x0000000007F8A000-memory.dmp

Filesize
104KB

Download
memory/1068-54-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/1068-21-0x00000000062F0000-0x0000000006644000-memory.dmp

Filesize
3.3MB

Download
memory/1068-11-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/1068-10-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/1068-9-0x0000000005910000-0x0000000005932000-memory.dmp

Filesize
136KB

Download
memory/1068-8-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/1068-7-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/1068-6-0x00000000059B0000-0x0000000005FD8000-memory.dmp

Filesize
6.2MB

Download
memory/1068-5-0x0000000003200000-0x0000000003236000-memory.dmp

Filesize
216KB

Download
memory/1068-4-0x00000000745AE000-0x00000000745AF000-memory.dmp

Filesize
4KB

Download
memory/1088-95-0x0000000070BC0000-0x0000000070F14000-memory.dmp

Filesize
3.3MB

Download
memory/1088-94-0x0000000070440000-0x000000007048C000-memory.dmp

Filesize
304KB

Download
memory/1188-224-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1188-220-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2528-78-0x0000000007730000-0x00000000077D3000-memory.dmp

Filesize
652KB

Download
memory/2528-79-0x0000000007A40000-0x0000000007A51000-memory.dmp

Filesize
68KB

Download
memory/2528-67-0x0000000070440000-0x000000007048C000-memory.dmp

Filesize
304KB

Download
memory/2528-80-0x0000000007A90000-0x0000000007AA4000-memory.dmp

Filesize
80KB

Download
memory/2528-65-0x0000000005EF0000-0x0000000006244000-memory.dmp

Filesize
3.3MB

Download
memory/2528-68-0x0000000070BC0000-0x0000000070F14000-memory.dmp

Filesize
3.3MB

Download
memory/3380-146-0x00000000705C0000-0x0000000070914000-memory.dmp

Filesize
3.3MB

Download
memory/3380-145-0x0000000070440000-0x000000007048C000-memory.dmp

Filesize
304KB

Download
memory/3392-169-0x0000000070360000-0x00000000703AC000-memory.dmp

Filesize
304KB

Download
memory/3392-157-0x0000000005D60000-0x00000000060B4000-memory.dmp

Filesize
3.3MB

Download
memory/3392-168-0x00000000069A0000-0x00000000069EC000-memory.dmp

Filesize
304KB

Download
memory/3392-180-0x00000000076D0000-0x0000000007773000-memory.dmp

Filesize
652KB

Download
memory/3392-170-0x0000000070AF0000-0x0000000070E44000-memory.dmp

Filesize
3.3MB

Download
memory/3392-182-0x0000000007830000-0x0000000007841000-memory.dmp

Filesize
68KB

Download
memory/3392-183-0x0000000006220000-0x0000000006234000-memory.dmp

Filesize
80KB

Download
memory/3444-228-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3444-223-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3444-236-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3644-117-0x0000000070440000-0x000000007048C000-memory.dmp

Filesize
304KB

Download
memory/3644-118-0x0000000070BC0000-0x0000000070F14000-memory.dmp

Filesize
3.3MB

Download
memory/4072-194-0x0000000005690000-0x00000000059E4000-memory.dmp

Filesize
3.3MB

Download
memory/4072-196-0x0000000070360000-0x00000000703AC000-memory.dmp

Filesize
304KB

Download
memory/4072-197-0x0000000070510000-0x0000000070864000-memory.dmp

Filesize
3.3MB

Download
memory/4440-105-0x0000000004930000-0x000000000521B000-memory.dmp

Filesize
8.9MB

Download
memory/4440-66-0x0000000004530000-0x0000000004930000-memory.dmp

Filesize
4.0MB

Download
memory/4440-1-0x0000000004530000-0x0000000004930000-memory.dmp

Filesize
4.0MB

Download
memory/4440-181-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4440-2-0x0000000004930000-0x000000000521B000-memory.dmp

Filesize
8.9MB

Download
memory/4440-144-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/4440-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4632-242-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/4632-226-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/4632-230-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/4632-234-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/4632-215-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/4632-238-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/4632-270-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/4632-246-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/4632-258-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/4632-254-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/4632-250-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/4632-262-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/4632-266-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/4776-208-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download