glupteba | 51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744

General

Target

51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Size

3.8MB
MD5

0d5405d0c31b0b5179c2d1623e7c3ac1
SHA1

bd9135dd36e3ea7ee7e6711db7cbf3c68db65fdc
SHA256

51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744
SHA512

0da93164a3619a52d8f9c82de2d7697cc490e775787bfc22963852fa27edc7b93d0a09d2b154783c175f00a8247f0cbcbd6f69f1bc71b52a7a8a67915192def2

Score

10^/10

glupteba dropper evasion loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2220-131-0x0000000004140000-0x000000000482F000-memory.dmp	family_glupteba
behavioral2/memory/2220-132-0x0000000000400000-0x0000000003A7F000-memory.dmp	family_glupteba
behavioral2/memory/3800-137-0x0000000000400000-0x0000000003A7F000-memory.dmp	family_glupteba
behavioral2/memory/5000-144-0x0000000000400000-0x0000000003A7F000-memory.dmp	family_glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4632 created 2220 4632 svchost.exe 51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

5000 csrss.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	pid	process	target process
PID 4632 created 2220	4632	svchost.exe	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe

pid	process
5000	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WeatheredFire = "\"C:\\Windows\\rss\\csrss.exe\""	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe

Drops file in Windows directory 2 IoCs

Processes:

51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe

description	ioc	process
File opened for modification	C:\Windows\rss	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
File created	C:\Windows\rss\csrss.exe	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.execsrss.exe

pid	process
2220	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
2220	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
2220	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
2220	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
2220	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
2220	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
2220	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
2220	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
3800	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
3800	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
3800	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
3800	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
3800	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
3800	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
5000	csrss.exe
5000	csrss.exe
5000	csrss.exe
5000	csrss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2220	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Token: SeImpersonatePrivilege	2220	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
Token: SeTcbPrivilege	4632	svchost.exe
Token: SeTcbPrivilege	4632	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

svchost.exe51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.execmd.execmd.exe

description	pid	process	target process
PID 4632 wrote to memory of 3800	4632	svchost.exe	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
PID 4632 wrote to memory of 3800	4632	svchost.exe	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
PID 4632 wrote to memory of 3800	4632	svchost.exe	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
PID 3800 wrote to memory of 3212	3800	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe	cmd.exe
PID 3800 wrote to memory of 3212	3800	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe	cmd.exe
PID 3212 wrote to memory of 1292	3212	cmd.exe	netsh.exe
PID 3212 wrote to memory of 1292	3212	cmd.exe	netsh.exe
PID 3800 wrote to memory of 1716	3800	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe	cmd.exe
PID 3800 wrote to memory of 1716	3800	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe	cmd.exe
PID 1716 wrote to memory of 4472	1716	cmd.exe	netsh.exe
PID 1716 wrote to memory of 4472	1716	cmd.exe	netsh.exe
PID 3800 wrote to memory of 5000	3800	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe	csrss.exe
PID 3800 wrote to memory of 5000	3800	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe	csrss.exe
PID 3800 wrote to memory of 5000	3800	51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
"C:\Users\Admin\AppData\Local\Temp\51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Users\Admin\AppData\Local\Temp\51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe
"C:\Users\Admin\AppData\Local\Temp\51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes
4⤵
PID:4472

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
3.8MB

MD5
0d5405d0c31b0b5179c2d1623e7c3ac1

SHA1
bd9135dd36e3ea7ee7e6711db7cbf3c68db65fdc

SHA256
51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744

SHA512
0da93164a3619a52d8f9c82de2d7697cc490e775787bfc22963852fa27edc7b93d0a09d2b154783c175f00a8247f0cbcbd6f69f1bc71b52a7a8a67915192def2

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.8MB

MD5
0d5405d0c31b0b5179c2d1623e7c3ac1

SHA1
bd9135dd36e3ea7ee7e6711db7cbf3c68db65fdc

SHA256
51baa76cb69b58bb9c5d89dd0d410fb9e1ab18d763f85a94973786309a6b9744

SHA512
0da93164a3619a52d8f9c82de2d7697cc490e775787bfc22963852fa27edc7b93d0a09d2b154783c175f00a8247f0cbcbd6f69f1bc71b52a7a8a67915192def2

Download Submit
memory/1292-136-0x0000000000000000-mapping.dmp

Download
memory/1716-138-0x0000000000000000-mapping.dmp

Download
memory/2220-131-0x0000000004140000-0x000000000482F000-memory.dmp

Filesize
6.9MB

Download
memory/2220-132-0x0000000000400000-0x0000000003A7F000-memory.dmp

Filesize
54.5MB

Download
memory/2220-130-0x0000000003D8D000-0x0000000004131000-memory.dmp

Filesize
3.6MB

Download
memory/3212-135-0x0000000000000000-mapping.dmp

Download
memory/3800-133-0x0000000000000000-mapping.dmp

Download
memory/3800-137-0x0000000000400000-0x0000000003A7F000-memory.dmp

Filesize
54.5MB

Download
memory/3800-134-0x0000000003E6A000-0x000000000420E000-memory.dmp

Filesize
3.6MB

Download
memory/4472-139-0x0000000000000000-mapping.dmp

Download
memory/5000-140-0x0000000000000000-mapping.dmp

Download
memory/5000-143-0x0000000004000000-0x00000000043A4000-memory.dmp

Filesize
3.6MB

Download
memory/5000-144-0x0000000000400000-0x0000000003A7F000-memory.dmp

Filesize
54.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads