glupteba | 6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33

General

Target

6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Size

3.8MB
MD5

3985c432345c1e0604dd01200b46a648
SHA1

2abaa0d9beb302da9b26dba5f246bc54f15651a9
SHA256

6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33
SHA512

d97c995b3e9edc8d54c56f1fdde2c1ab5241687de1e0d5789d004d39a109db7f8144242a6109366980fee71fec6e45643801bb98905b1bcad2c0eda6d7972724

Score

10^/10

glupteba dropper evasion loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2860-131-0x0000000001330000-0x0000000001A1F000-memory.dmp	family_glupteba
behavioral2/memory/2860-132-0x0000000000400000-0x0000000000B49000-memory.dmp	family_glupteba
behavioral2/memory/2860-133-0x0000000001330000-0x0000000001A1F000-memory.dmp	family_glupteba
behavioral2/memory/2860-135-0x0000000000400000-0x0000000000B49000-memory.dmp	family_glupteba
behavioral2/memory/4900-137-0x0000000000400000-0x0000000000B49000-memory.dmp	family_glupteba
behavioral2/memory/4900-145-0x0000000000400000-0x0000000000B49000-memory.dmp	family_glupteba
behavioral2/memory/1284-147-0x0000000000400000-0x0000000000B49000-memory.dmp	family_glupteba
behavioral2/memory/1284-148-0x0000000000400000-0x0000000000B49000-memory.dmp	family_glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2632 created 2860 2632 svchost.exe 6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

1284 csrss.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

3732 netsh.exe
1264 netsh.exe

description	pid	process	target process
PID 2632 created 2860	2632	svchost.exe	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe

pid	process
1284	csrss.exe

pid	process
3732	netsh.exe
1264	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinterWater = "\"C:\\Windows\\rss\\csrss.exe\""	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe

Drops file in Windows directory 2 IoCs

Processes:

6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe

description	ioc	process
File opened for modification	C:\Windows\rss	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
File created	C:\Windows\rss\csrss.exe	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

csrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.execsrss.exe

pid	process
2860	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
2860	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
2860	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
2860	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
2860	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
2860	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
2860	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
2860	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
4900	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
4900	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
4900	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
4900	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
4900	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
4900	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
1284	csrss.exe
1284	csrss.exe
1284	csrss.exe
1284	csrss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2860	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Token: SeImpersonatePrivilege	2860	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
Token: SeTcbPrivilege	2632	svchost.exe
Token: SeTcbPrivilege	2632	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

svchost.exe6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.execmd.execmd.exe

description	pid	process	target process
PID 2632 wrote to memory of 4900	2632	svchost.exe	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
PID 2632 wrote to memory of 4900	2632	svchost.exe	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
PID 2632 wrote to memory of 4900	2632	svchost.exe	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
PID 4900 wrote to memory of 4060	4900	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe	cmd.exe
PID 4900 wrote to memory of 4060	4900	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe	cmd.exe
PID 4060 wrote to memory of 3732	4060	cmd.exe	netsh.exe
PID 4060 wrote to memory of 3732	4060	cmd.exe	netsh.exe
PID 4900 wrote to memory of 2396	4900	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe	cmd.exe
PID 4900 wrote to memory of 2396	4900	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe	cmd.exe
PID 2396 wrote to memory of 1264	2396	cmd.exe	netsh.exe
PID 2396 wrote to memory of 1264	2396	cmd.exe	netsh.exe
PID 4900 wrote to memory of 1284	4900	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe	csrss.exe
PID 4900 wrote to memory of 1284	4900	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe	csrss.exe
PID 4900 wrote to memory of 1284	4900	6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
"C:\Users\Admin\AppData\Local\Temp\6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Users\Admin\AppData\Local\Temp\6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe
"C:\Users\Admin\AppData\Local\Temp\6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1264

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
3.8MB

MD5
3985c432345c1e0604dd01200b46a648

SHA1
2abaa0d9beb302da9b26dba5f246bc54f15651a9

SHA256
6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33

SHA512
d97c995b3e9edc8d54c56f1fdde2c1ab5241687de1e0d5789d004d39a109db7f8144242a6109366980fee71fec6e45643801bb98905b1bcad2c0eda6d7972724

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.8MB

MD5
3985c432345c1e0604dd01200b46a648

SHA1
2abaa0d9beb302da9b26dba5f246bc54f15651a9

SHA256
6860570b466dd59eb941e0b1b756f1afbe37b651657d6e7892c5495f03cc8d33

SHA512
d97c995b3e9edc8d54c56f1fdde2c1ab5241687de1e0d5789d004d39a109db7f8144242a6109366980fee71fec6e45643801bb98905b1bcad2c0eda6d7972724

Download Submit
memory/1264-141-0x0000000000000000-mapping.dmp

Download
memory/1284-142-0x0000000000000000-mapping.dmp

Download
memory/1284-148-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download
memory/1284-147-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download
memory/1284-146-0x0000000001400000-0x00000000017A4000-memory.dmp

Filesize
3.6MB

Download
memory/2396-140-0x0000000000000000-mapping.dmp

Download
memory/2860-133-0x0000000001330000-0x0000000001A1F000-memory.dmp

Filesize
6.9MB

Download
memory/2860-130-0x0000000000F7D000-0x0000000001321000-memory.dmp

Filesize
3.6MB

Download
memory/2860-135-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download
memory/2860-132-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download
memory/2860-131-0x0000000001330000-0x0000000001A1F000-memory.dmp

Filesize
6.9MB

Download
memory/3732-139-0x0000000000000000-mapping.dmp

Download
memory/4060-138-0x0000000000000000-mapping.dmp

Download
memory/4900-145-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download
memory/4900-137-0x0000000000400000-0x0000000000B49000-memory.dmp

Filesize
7.3MB

Download
memory/4900-136-0x0000000000F6A000-0x000000000130E000-memory.dmp

Filesize
3.6MB

Download
memory/4900-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads