glupteba | c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9

General

Target

c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Size

3.8MB
MD5

c377d72ba0f1c8722df198e42bb9a1b6
SHA1

ee4a918581883a9b81a6b58c373453f026fa2ef5
SHA256

c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9
SHA512

ce72f7e72c83c8d05fc762156131b2f403e6b375e7d2a30f78c1b2ebfdedfe4cd1f7cad592428d202eee909a89daaabae9b4d8638b59d79ecddb5aa06025fe4c

Score

10^/10

glupteba dropper evasion loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3716-131-0x00000000012F0000-0x00000000019DF000-memory.dmp	family_glupteba
behavioral2/memory/3716-132-0x0000000000400000-0x0000000000B49000-memory.dmp	family_glupteba
behavioral2/memory/3716-134-0x0000000000400000-0x0000000000B49000-memory.dmp	family_glupteba
behavioral2/memory/1932-136-0x0000000000400000-0x0000000000B49000-memory.dmp	family_glupteba
behavioral2/memory/1932-143-0x0000000000400000-0x0000000000B49000-memory.dmp	family_glupteba
behavioral2/memory/3144-146-0x0000000000400000-0x0000000000B49000-memory.dmp	family_glupteba
behavioral2/memory/3144-147-0x0000000000400000-0x0000000000B49000-memory.dmp	family_glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1740 created 3716 1740 svchost.exe c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

3144 csrss.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

228 netsh.exe
1284 netsh.exe

description	pid	process	target process
PID 1740 created 3716	1740	svchost.exe	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe

pid	process
3144	csrss.exe

pid	process
228	netsh.exe
1284	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SnowyBreeze = "\"C:\\Windows\\rss\\csrss.exe\""	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe

Drops file in Windows directory 2 IoCs

Processes:

c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe

description	ioc	process
File opened for modification	C:\Windows\rss	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
File created	C:\Windows\rss\csrss.exe	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exec824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	csrss.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exec824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.execsrss.exe

pid	process
3716	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
3716	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
3716	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
3716	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
3716	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
3716	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
3716	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
3716	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
1932	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
1932	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
1932	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
1932	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
1932	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
1932	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
3144	csrss.exe
3144	csrss.exe
3144	csrss.exe
3144	csrss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3716	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Token: SeImpersonatePrivilege	3716	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
Token: SeTcbPrivilege	1740	svchost.exe
Token: SeTcbPrivilege	1740	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

svchost.exec824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.execmd.execmd.exe

description	pid	process	target process
PID 1740 wrote to memory of 1932	1740	svchost.exe	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
PID 1740 wrote to memory of 1932	1740	svchost.exe	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
PID 1740 wrote to memory of 1932	1740	svchost.exe	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
PID 1932 wrote to memory of 2696	1932	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe	cmd.exe
PID 1932 wrote to memory of 2696	1932	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe	cmd.exe
PID 2696 wrote to memory of 1284	2696	cmd.exe	netsh.exe
PID 2696 wrote to memory of 1284	2696	cmd.exe	netsh.exe
PID 1932 wrote to memory of 3348	1932	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe	cmd.exe
PID 1932 wrote to memory of 3348	1932	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe	cmd.exe
PID 3348 wrote to memory of 228	3348	cmd.exe	netsh.exe
PID 3348 wrote to memory of 228	3348	cmd.exe	netsh.exe
PID 1932 wrote to memory of 3144	1932	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe	csrss.exe
PID 1932 wrote to memory of 3144	1932	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe	csrss.exe
PID 1932 wrote to memory of 3144	1932	c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
"C:\Users\Admin\AppData\Local\Temp\c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Users\Admin\AppData\Local\Temp\c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe
"C:\Users\Admin\AppData\Local\Temp\c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:228

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
3.8MB

MD5
c377d72ba0f1c8722df198e42bb9a1b6

SHA1
ee4a918581883a9b81a6b58c373453f026fa2ef5

SHA256
c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9

SHA512
ce72f7e72c83c8d05fc762156131b2f403e6b375e7d2a30f78c1b2ebfdedfe4cd1f7cad592428d202eee909a89daaabae9b4d8638b59d79ecddb5aa06025fe4c

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.8MB

MD5
c377d72ba0f1c8722df198e42bb9a1b6

SHA1
ee4a918581883a9b81a6b58c373453f026fa2ef5

SHA256
c824e4437bae5fda0007929fcfabb0a3110820da10673500c9e71aadb982a0b9

SHA512
ce72f7e72c83c8d05fc762156131b2f403e6b375e7d2a30f78c1b2ebfdedfe4cd1f7cad592428d202eee909a89daaabae9b4d8638b59d79ecddb5aa06025fe4c

Download Submit
memory/228-140-0x0000000000000000-mapping.dmp

Download
memory/1284-138-0x0000000000000000-mapping.dmp

Download
memory/1932-143-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download
memory/1932-133-0x0000000000000000-mapping.dmp

Download
memory/1932-135-0x0000000000E94000-0x0000000001238000-memory.dmp

Filesize
3.6MB

Download
memory/1932-136-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download
memory/2696-137-0x0000000000000000-mapping.dmp

Download
memory/3144-141-0x0000000000000000-mapping.dmp

Download
memory/3144-145-0x0000000001400000-0x00000000017A4000-memory.dmp

Filesize
3.6MB

Download
memory/3144-146-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download
memory/3144-147-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download
memory/3348-139-0x0000000000000000-mapping.dmp

Download
memory/3716-134-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download
memory/3716-130-0x0000000000F44000-0x00000000012E8000-memory.dmp

Filesize
3.6MB

Download
memory/3716-132-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download
memory/3716-131-0x00000000012F0000-0x00000000019DF000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads