glupteba | 0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49.exe
Size

8.7MB
MD5

ceae65ee17ff158877706edfe2171501
SHA1

b1f807080da9c25393c85f5d57105090f5629500
SHA256

0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
SHA512

5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b
SSDEEP

196608:drdPa3Pl8j7Ke1k6N25U0agbrT6NZ+t0ZGhsYN6mQwclTm2:d5P08KeDQtSb+t0ZEJQwcTm

Score

10^/10

glupteba xmrig discovery dropper evasion execution loader miner persistence privilege_escalation rootkit upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 15 IoCs

resource	yara_rule
behavioral2/memory/768-91-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5112-167-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1864-249-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1864-318-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1864-323-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1864-325-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1864-331-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1864-333-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1864-337-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1864-339-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1864-341-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1864-343-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1864-345-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1864-347-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1864-349-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/5044-312-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5044-314-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5044-313-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5044-311-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5044-309-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5044-308-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5044-315-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5044-316-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5044-317-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4404	powershell.exe
3120	powershell.exe
2720	powershell.exe
2440	powershell.exe
1284	powershell.exe
4472	powershell.exe
772	powershell.exe
3144	powershell.exe
3364	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4648	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49.exe

Executes dropped EXE 8 IoCs

pid	Process
768	288c47bbc1871b439df19ff4df68f076.exe
696	InstallSetup4.exe
2560	FourthX.exe
2868	BroomSetup.exe
5112	288c47bbc1871b439df19ff4df68f076.exe
1864	csrss.exe
1064	injector.exe
2428	vueqjgslwynd.exe

Loads dropped DLL 4 IoCs

pid	Process
696	InstallSetup4.exe
696	InstallSetup4.exe
696	InstallSetup4.exe
696	InstallSetup4.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5044-304-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5044-307-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5044-312-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5044-314-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5044-313-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5044-311-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5044-309-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5044-308-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5044-306-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5044-303-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5044-305-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5044-315-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5044-316-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5044-317-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
58	pastebin.com
59	pastebin.com

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	FourthX.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	vueqjgslwynd.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2428 set thread context of 744	2428	vueqjgslwynd.exe	152
PID 2428 set thread context of 5044	2428	vueqjgslwynd.exe	155

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	288c47bbc1871b439df19ff4df68f076.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	288c47bbc1871b439df19ff4df68f076.exe
File created	C:\Windows\rss\csrss.exe	288c47bbc1871b439df19ff4df68f076.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
640	sc.exe
1540	sc.exe
408	sc.exe
1416	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1672	768	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallSetup4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BroomSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	288c47bbc1871b439df19ff4df68f076.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	288c47bbc1871b439df19ff4df68f076.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2076	schtasks.exe
2792	schtasks.exe
4060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3144	powershell.exe
3144	powershell.exe
768	288c47bbc1871b439df19ff4df68f076.exe
768	288c47bbc1871b439df19ff4df68f076.exe
3364	powershell.exe
3364	powershell.exe
3364	powershell.exe
5112	288c47bbc1871b439df19ff4df68f076.exe
5112	288c47bbc1871b439df19ff4df68f076.exe
5112	288c47bbc1871b439df19ff4df68f076.exe
5112	288c47bbc1871b439df19ff4df68f076.exe
5112	288c47bbc1871b439df19ff4df68f076.exe
5112	288c47bbc1871b439df19ff4df68f076.exe
5112	288c47bbc1871b439df19ff4df68f076.exe
5112	288c47bbc1871b439df19ff4df68f076.exe
5112	288c47bbc1871b439df19ff4df68f076.exe
5112	288c47bbc1871b439df19ff4df68f076.exe
2720	powershell.exe
2720	powershell.exe
2720	powershell.exe
2440	powershell.exe
2440	powershell.exe
2440	powershell.exe
1284	powershell.exe
1284	powershell.exe
1284	powershell.exe
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
1064	injector.exe
1064	injector.exe
1064	injector.exe
1064	injector.exe
1064	injector.exe
1064	injector.exe
1064	injector.exe
1864	csrss.exe
1064	injector.exe
1864	csrss.exe
1064	injector.exe
1064	injector.exe
1064	injector.exe
1064	injector.exe
2560	FourthX.exe
4404	powershell.exe
4404	powershell.exe
1864	csrss.exe
4404	powershell.exe
1864	csrss.exe
1064	injector.exe
1064	injector.exe
2560	FourthX.exe
2560	FourthX.exe
2560	FourthX.exe
2560	FourthX.exe
2560	FourthX.exe
2428	vueqjgslwynd.exe
3120	powershell.exe
3120	powershell.exe
3120	powershell.exe
1064	injector.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	768	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	768	288c47bbc1871b439df19ff4df68f076.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeSystemEnvironmentPrivilege	1864	csrss.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeLockMemoryPrivilege	5044	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2868	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 768	852	0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49.exe	87
PID 852 wrote to memory of 768	852	0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49.exe	87
PID 852 wrote to memory of 768	852	0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49.exe	87
PID 852 wrote to memory of 696	852	0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49.exe	88
PID 852 wrote to memory of 696	852	0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49.exe	88
PID 852 wrote to memory of 696	852	0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49.exe	88
PID 852 wrote to memory of 2560	852	0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49.exe	89
PID 852 wrote to memory of 2560	852	0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49.exe	89
PID 696 wrote to memory of 2868	696	InstallSetup4.exe	90
PID 696 wrote to memory of 2868	696	InstallSetup4.exe	90
PID 696 wrote to memory of 2868	696	InstallSetup4.exe	90
PID 2868 wrote to memory of 3260	2868	BroomSetup.exe	92
PID 2868 wrote to memory of 3260	2868	BroomSetup.exe	92
PID 2868 wrote to memory of 3260	2868	BroomSetup.exe	92
PID 3260 wrote to memory of 3624	3260	cmd.exe	94
PID 3260 wrote to memory of 3624	3260	cmd.exe	94
PID 3260 wrote to memory of 3624	3260	cmd.exe	94
PID 3260 wrote to memory of 2076	3260	cmd.exe	95
PID 3260 wrote to memory of 2076	3260	cmd.exe	95
PID 3260 wrote to memory of 2076	3260	cmd.exe	95
PID 768 wrote to memory of 3144	768	288c47bbc1871b439df19ff4df68f076.exe	96
PID 768 wrote to memory of 3144	768	288c47bbc1871b439df19ff4df68f076.exe	96
PID 768 wrote to memory of 3144	768	288c47bbc1871b439df19ff4df68f076.exe	96
PID 5112 wrote to memory of 3364	5112	288c47bbc1871b439df19ff4df68f076.exe	107
PID 5112 wrote to memory of 3364	5112	288c47bbc1871b439df19ff4df68f076.exe	107
PID 5112 wrote to memory of 3364	5112	288c47bbc1871b439df19ff4df68f076.exe	107
PID 5112 wrote to memory of 1548	5112	288c47bbc1871b439df19ff4df68f076.exe	111
PID 5112 wrote to memory of 1548	5112	288c47bbc1871b439df19ff4df68f076.exe	111
PID 1548 wrote to memory of 4648	1548	cmd.exe	113
PID 1548 wrote to memory of 4648	1548	cmd.exe	113
PID 5112 wrote to memory of 2720	5112	288c47bbc1871b439df19ff4df68f076.exe	114
PID 5112 wrote to memory of 2720	5112	288c47bbc1871b439df19ff4df68f076.exe	114
PID 5112 wrote to memory of 2720	5112	288c47bbc1871b439df19ff4df68f076.exe	114
PID 5112 wrote to memory of 2440	5112	288c47bbc1871b439df19ff4df68f076.exe	116
PID 5112 wrote to memory of 2440	5112	288c47bbc1871b439df19ff4df68f076.exe	116
PID 5112 wrote to memory of 2440	5112	288c47bbc1871b439df19ff4df68f076.exe	116
PID 5112 wrote to memory of 1864	5112	288c47bbc1871b439df19ff4df68f076.exe	118
PID 5112 wrote to memory of 1864	5112	288c47bbc1871b439df19ff4df68f076.exe	118
PID 5112 wrote to memory of 1864	5112	288c47bbc1871b439df19ff4df68f076.exe	118
PID 1864 wrote to memory of 1284	1864	csrss.exe	119
PID 1864 wrote to memory of 1284	1864	csrss.exe	119
PID 1864 wrote to memory of 1284	1864	csrss.exe	119
PID 1864 wrote to memory of 4472	1864	csrss.exe	125
PID 1864 wrote to memory of 4472	1864	csrss.exe	125
PID 1864 wrote to memory of 4472	1864	csrss.exe	125
PID 1864 wrote to memory of 772	1864	csrss.exe	127
PID 1864 wrote to memory of 772	1864	csrss.exe	127
PID 1864 wrote to memory of 772	1864	csrss.exe	127
PID 1864 wrote to memory of 1064	1864	csrss.exe	129
PID 1864 wrote to memory of 1064	1864	csrss.exe	129
PID 4160 wrote to memory of 2940	4160	cmd.exe	140
PID 4160 wrote to memory of 2940	4160	cmd.exe	140
PID 2428 wrote to memory of 744	2428	vueqjgslwynd.exe	152
PID 2428 wrote to memory of 744	2428	vueqjgslwynd.exe	152
PID 2428 wrote to memory of 744	2428	vueqjgslwynd.exe	152
PID 2428 wrote to memory of 744	2428	vueqjgslwynd.exe	152
PID 2428 wrote to memory of 744	2428	vueqjgslwynd.exe	152
PID 2428 wrote to memory of 744	2428	vueqjgslwynd.exe	152
PID 2428 wrote to memory of 744	2428	vueqjgslwynd.exe	152
PID 2428 wrote to memory of 744	2428	vueqjgslwynd.exe	152
PID 2428 wrote to memory of 744	2428	vueqjgslwynd.exe	152
PID 1808 wrote to memory of 1784	1808	cmd.exe	154
PID 1808 wrote to memory of 1784	1808	cmd.exe	154
PID 2428 wrote to memory of 5044	2428	vueqjgslwynd.exe	155

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49.exe
"C:\Users\Admin\AppData\Local\Temp\0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2720
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2440
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Manipulates WinMonFS driver.
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1864
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2792
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1064
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 920
    3⤵
    - Program crash
    PID:1672
- C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2076
- C:\Users\Admin\AppData\Local\Temp\FourthX.exe
  "C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2940
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "UTIXDCVF"
    3⤵
    - Launches sc.exe
    PID:408
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1416
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:640
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "UTIXDCVF"
    3⤵
    - Launches sc.exe
    PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 768 -ip 768
1⤵
PID:3060

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1784
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:744
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.1MB

MD5
d122f827c4fc73f9a06d7f6f2d08cd95

SHA1
cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5

SHA256
b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc

SHA512
8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
4.7MB

MD5
5e94f0f6265f9e8b2f706f1d46bbd39e

SHA1
d0189cba430f5eea07efe1ab4f89adf5ae2453db

SHA256
50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503

SHA512
473dfa66a36feed9b29a43245074141478327ce22ba7cce512599379dcb783b4d665e2d65c5e9750b988c7ed8f6c3349a7a12d4b8b57c89840eee6ca6e1a30cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FourthX.exe

Filesize
2.5MB

MD5
b03886cb64c04b828b6ec1b2487df4a4

SHA1
a7b9a99950429611931664950932f0e5525294a4

SHA256
5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc

SHA512
21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

Filesize
2.0MB

MD5
28b72e7425d6d224c060d3cf439c668c

SHA1
a0a14c90e32e1ffd82558f044c351ad785e4dcd8

SHA256
460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98

SHA512
3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3lsmyi44.js1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8FCD.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
dd074d005292568cb98452af173ee99b

SHA1
b5328f9f29fc00e14394f77c64cac529de087c7c

SHA256
4e88f5ac9d52deedbe3bccd6b0bb4713901e7eb303f1ee68b42479136bac61a7

SHA512
45a8718c3c3a733ea478d88901bf71fee8aa70b88536ec62cdccbfa9dc97824270bdb829e50fa7d73b66985770e287449cbffc41dc18727206424beaf8e7383f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
1032f31faa217ae9ac28c80b657ab774

SHA1
2c8ddfe3c72432c333583236c252ee91dd60cf6c

SHA256
e22092f10f69326075956b970e368ab2b5c5a537250f019a6eba9a7e529d2a7c

SHA512
267f6e50605ef60816f25665fc07b91a44729719c8c489358d35faeb48ba13d3a7c528b28f5f6c0e88f51e12bde5e9fcf114aa7efce5cefb348c634c5524a651

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b68717b577c46de65f9dae79010107fc

SHA1
a1e3cc10d5e6ca636d9a72f15005e2b20e61e78d

SHA256
861437966de9842634aac0c527036881b3ae151da47c3b8bc86c970a05fdded3

SHA512
e178292dc179b39835911afe090eb3a9d34f80f1aa37470618dcba4186da07922bce6f1a170195b3aae662a18560700bda3774294cad19fba84095550700e2d9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7dcc3d93c59d20614c189946cc944ac4

SHA1
4e0626d9db26c0516dbb16e536cb0bbe83e7423f

SHA256
762ee2eff6c81d8eae54f0032debcdb18dd32276e766bbba636a18017c48e880

SHA512
0b49ef5667f38369851c7b2d2655dc816dfc412403f9060b85bdbbade1508e302bd01d06b98f34133ee90af3efa1d2ecc82cc4fca32b43e8337ef913b16c6d1d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
ad448fbf9b035e1379db1e659d27ffd0

SHA1
5acd02b2dda53a5f3f0cd21ce132600d5a227e7f

SHA256
7a283b2a751381030b1c957f90a5fe7bbf723c3efed999e6d3987ab24dbc9c60

SHA512
2921e1735eaac5ab81c81573799ae348b8095fdd9480f24049e035becd2b360d9e3d0d421263b6ad82e5ac4cb65955eb2be5fcbf1d26a7e6d2641bbdc1ddf834

Download Submit
memory/744-295-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/744-299-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/744-302-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/744-298-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/744-297-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/744-296-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/768-91-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/768-41-0x00000000029D0000-0x0000000002DCC000-memory.dmp

Filesize
4.0MB

Download
memory/772-232-0x0000000071950000-0x0000000071CA4000-memory.dmp

Filesize
3.3MB

Download
memory/772-231-0x00000000724B0000-0x00000000724FC000-memory.dmp

Filesize
304KB

Download
memory/852-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/852-1-0x0000000000810000-0x00000000010C6000-memory.dmp

Filesize
8.7MB

Download
memory/1284-180-0x0000000071900000-0x000000007194C000-memory.dmp

Filesize
304KB

Download
memory/1284-181-0x0000000071950000-0x0000000071CA4000-memory.dmp

Filesize
3.3MB

Download
memory/1864-343-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1864-318-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1864-333-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1864-347-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1864-345-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1864-339-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1864-331-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1864-325-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1864-341-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1864-349-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1864-323-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1864-337-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1864-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2440-152-0x0000000071950000-0x0000000071CA4000-memory.dmp

Filesize
3.3MB

Download
memory/2440-151-0x0000000071900000-0x000000007194C000-memory.dmp

Filesize
304KB

Download
memory/2720-129-0x0000000071900000-0x000000007194C000-memory.dmp

Filesize
304KB

Download
memory/2720-130-0x0000000071950000-0x0000000071CA4000-memory.dmp

Filesize
3.3MB

Download
memory/2868-162-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3120-292-0x000001D1466B0000-0x000001D1466BA000-memory.dmp

Filesize
40KB

Download
memory/3120-284-0x000001D146430000-0x000001D14644C000-memory.dmp

Filesize
112KB

Download
memory/3120-285-0x000001D146450000-0x000001D146505000-memory.dmp

Filesize
724KB

Download
memory/3120-286-0x000001D146510000-0x000001D14651A000-memory.dmp

Filesize
40KB

Download
memory/3120-287-0x000001D146680000-0x000001D14669C000-memory.dmp

Filesize
112KB

Download
memory/3120-288-0x000001D146660000-0x000001D14666A000-memory.dmp

Filesize
40KB

Download
memory/3120-289-0x000001D1466C0000-0x000001D1466DA000-memory.dmp

Filesize
104KB

Download
memory/3120-290-0x000001D146670000-0x000001D146678000-memory.dmp

Filesize
32KB

Download
memory/3120-291-0x000001D1466A0000-0x000001D1466A6000-memory.dmp

Filesize
24KB

Download
memory/3144-61-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/3144-46-0x00000000052C0000-0x00000000058E8000-memory.dmp

Filesize
6.2MB

Download
memory/3144-68-0x0000000071950000-0x0000000071CA4000-memory.dmp

Filesize
3.3MB

Download
memory/3144-62-0x00000000066D0000-0x0000000006714000-memory.dmp

Filesize
272KB

Download
memory/3144-63-0x0000000007510000-0x0000000007586000-memory.dmp

Filesize
472KB

Download
memory/3144-59-0x0000000005BD0000-0x0000000005F24000-memory.dmp

Filesize
3.3MB

Download
memory/3144-64-0x0000000007C10000-0x000000000828A000-memory.dmp

Filesize
6.5MB

Download
memory/3144-65-0x0000000007590000-0x00000000075AA000-memory.dmp

Filesize
104KB

Download
memory/3144-49-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/3144-78-0x0000000007790000-0x00000000077AE000-memory.dmp

Filesize
120KB

Download
memory/3144-66-0x0000000007750000-0x0000000007782000-memory.dmp

Filesize
200KB

Download
memory/3144-79-0x00000000077B0000-0x0000000007853000-memory.dmp

Filesize
652KB

Download
memory/3144-80-0x00000000078A0000-0x00000000078AA000-memory.dmp

Filesize
40KB

Download
memory/3144-81-0x0000000007960000-0x00000000079F6000-memory.dmp

Filesize
600KB

Download
memory/3144-82-0x00000000078C0000-0x00000000078D1000-memory.dmp

Filesize
68KB

Download
memory/3144-83-0x0000000007900000-0x000000000790E000-memory.dmp

Filesize
56KB

Download
memory/3144-67-0x0000000072510000-0x000000007255C000-memory.dmp

Filesize
304KB

Download
memory/3144-86-0x0000000007950000-0x0000000007958000-memory.dmp

Filesize
32KB

Download
memory/3144-85-0x0000000007A00000-0x0000000007A1A000-memory.dmp

Filesize
104KB

Download
memory/3144-84-0x0000000007910000-0x0000000007924000-memory.dmp

Filesize
80KB

Download
memory/3144-48-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/3144-47-0x0000000005950000-0x0000000005972000-memory.dmp

Filesize
136KB

Download
memory/3144-60-0x00000000061D0000-0x00000000061EE000-memory.dmp

Filesize
120KB

Download
memory/3144-45-0x0000000004BF0000-0x0000000004C26000-memory.dmp

Filesize
216KB

Download
memory/3364-101-0x0000000005F00000-0x0000000005F4C000-memory.dmp

Filesize
304KB

Download
memory/3364-102-0x0000000071900000-0x000000007194C000-memory.dmp

Filesize
304KB

Download
memory/3364-103-0x0000000071950000-0x0000000071CA4000-memory.dmp

Filesize
3.3MB

Download
memory/3364-113-0x0000000007010000-0x00000000070B3000-memory.dmp

Filesize
652KB

Download
memory/3364-114-0x0000000007350000-0x0000000007361000-memory.dmp

Filesize
68KB

Download
memory/3364-115-0x00000000073A0000-0x00000000073B4000-memory.dmp

Filesize
80KB

Download
memory/4404-250-0x0000024221360000-0x0000024221382000-memory.dmp

Filesize
136KB

Download
memory/4472-202-0x0000000006330000-0x000000000637C000-memory.dmp

Filesize
304KB

Download
memory/4472-216-0x00000000060D0000-0x00000000060E4000-memory.dmp

Filesize
80KB

Download
memory/4472-203-0x00000000724B0000-0x00000000724FC000-memory.dmp

Filesize
304KB

Download
memory/4472-204-0x0000000071950000-0x0000000071CA4000-memory.dmp

Filesize
3.3MB

Download
memory/4472-214-0x0000000007500000-0x00000000075A3000-memory.dmp

Filesize
652KB

Download
memory/4472-215-0x0000000007880000-0x0000000007891000-memory.dmp

Filesize
68KB

Download
memory/5044-305-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5044-307-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5044-316-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5044-317-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5044-313-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5044-314-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5044-312-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5044-315-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5044-310-0x0000000000DD0000-0x0000000000DF0000-memory.dmp

Filesize
128KB

Download
memory/5044-304-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5044-311-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5044-303-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5044-306-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5044-308-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5044-309-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5112-167-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download