glupteba | e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e

General

Target

e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Size

6.5MB
MD5

1090fff2e77ef8af4bdad1a4247d98e8
SHA1

e03bc98212c50d408b357a62150baaed89d7d5bd
SHA256

e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e
SHA512

71d42ddfb6e59b4e775465bc08bcbadc02fb62b57dc2b079ff7b9b09ea9b252697c86ab0e44c4aadc6e504866cdb199d9806a3837940b05ff771456c8ea03b66

Score

10^/10

glupteba dropper evasion loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1192-133-0x0000000005E40000-0x0000000006510000-memory.dmp	family_glupteba
behavioral2/memory/1192-134-0x0000000000400000-0x0000000002E8C000-memory.dmp	family_glupteba
behavioral2/memory/1192-136-0x0000000000400000-0x0000000002E8C000-memory.dmp	family_glupteba
behavioral2/memory/1648-138-0x0000000000400000-0x0000000002E8C000-memory.dmp	family_glupteba
behavioral2/memory/1648-146-0x0000000000400000-0x0000000002E8C000-memory.dmp	family_glupteba
behavioral2/memory/2368-148-0x0000000000400000-0x0000000002E8C000-memory.dmp	family_glupteba
behavioral2/memory/2368-149-0x0000000000400000-0x0000000002E8C000-memory.dmp	family_glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 524 created 1192 524 svchost.exe e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

2368 csrss.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

4968 netsh.exe
1440 netsh.exe

description	pid	process	target process
PID 524 created 1192	524	svchost.exe	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe

pid	process
2368	csrss.exe

pid	process
4968	netsh.exe
1440	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GreenDust = "\"C:\\Windows\\rss\\csrss.exe\""	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe

Drops file in System32 directory 6 IoCs

Processes:

csrss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	csrss.exe

Drops file in Windows directory 2 IoCs

Processes:

e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe

description	ioc	process
File opened for modification	C:\Windows\rss	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
File created	C:\Windows\rss\csrss.exe	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

csrss.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	csrss.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exee18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.execsrss.exe

pid	process
1192	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
1192	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
1192	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
1192	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
1192	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
1192	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
1192	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
1192	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
1648	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
1648	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
1648	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
1648	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
1648	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
1648	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
2368	csrss.exe
2368	csrss.exe
2368	csrss.exe
2368	csrss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1192	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Token: SeImpersonatePrivilege	1192	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
Token: SeTcbPrivilege	524	svchost.exe
Token: SeTcbPrivilege	524	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

svchost.exee18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.execmd.execmd.exe

description	pid	process	target process
PID 524 wrote to memory of 1648	524	svchost.exe	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
PID 524 wrote to memory of 1648	524	svchost.exe	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
PID 524 wrote to memory of 1648	524	svchost.exe	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
PID 1648 wrote to memory of 1760	1648	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe	cmd.exe
PID 1648 wrote to memory of 1760	1648	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe	cmd.exe
PID 1760 wrote to memory of 4968	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 4968	1760	cmd.exe	netsh.exe
PID 1648 wrote to memory of 952	1648	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe	cmd.exe
PID 1648 wrote to memory of 952	1648	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe	cmd.exe
PID 952 wrote to memory of 1440	952	cmd.exe	netsh.exe
PID 952 wrote to memory of 1440	952	cmd.exe	netsh.exe
PID 1648 wrote to memory of 2368	1648	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe	csrss.exe
PID 1648 wrote to memory of 2368	1648	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe	csrss.exe
PID 1648 wrote to memory of 2368	1648	e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
"C:\Users\Admin\AppData\Local\Temp\e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Users\Admin\AppData\Local\Temp\e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe
"C:\Users\Admin\AppData\Local\Temp\e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1440

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
6.5MB

MD5
1090fff2e77ef8af4bdad1a4247d98e8

SHA1
e03bc98212c50d408b357a62150baaed89d7d5bd

SHA256
e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e

SHA512
71d42ddfb6e59b4e775465bc08bcbadc02fb62b57dc2b079ff7b9b09ea9b252697c86ab0e44c4aadc6e504866cdb199d9806a3837940b05ff771456c8ea03b66

Download Submit
C:\Windows\rss\csrss.exe
Filesize
6.5MB

MD5
1090fff2e77ef8af4bdad1a4247d98e8

SHA1
e03bc98212c50d408b357a62150baaed89d7d5bd

SHA256
e18457d640edde2ec7adf7adbae9d4cc6d3fd4774f9d4d69c9b7d3a5c34fdb6e

SHA512
71d42ddfb6e59b4e775465bc08bcbadc02fb62b57dc2b079ff7b9b09ea9b252697c86ab0e44c4aadc6e504866cdb199d9806a3837940b05ff771456c8ea03b66

Download Submit
memory/952-141-0x0000000000000000-mapping.dmp

Download
memory/1192-136-0x0000000000400000-0x0000000002E8C000-memory.dmp

Filesize
42.5MB

Download
memory/1192-132-0x000000000596F000-0x0000000005D08000-memory.dmp

Filesize
3.6MB

Download
memory/1192-133-0x0000000005E40000-0x0000000006510000-memory.dmp

Filesize
6.8MB

Download
memory/1192-134-0x0000000000400000-0x0000000002E8C000-memory.dmp

Filesize
42.5MB

Download
memory/1440-142-0x0000000000000000-mapping.dmp

Download
memory/1648-135-0x0000000000000000-mapping.dmp

Download
memory/1648-138-0x0000000000400000-0x0000000002E8C000-memory.dmp

Filesize
42.5MB

Download
memory/1648-137-0x000000000585E000-0x0000000005BF7000-memory.dmp

Filesize
3.6MB

Download
memory/1648-146-0x0000000000400000-0x0000000002E8C000-memory.dmp

Filesize
42.5MB

Download
memory/1760-139-0x0000000000000000-mapping.dmp

Download
memory/2368-143-0x0000000000000000-mapping.dmp

Download
memory/2368-147-0x0000000005E00000-0x0000000006199000-memory.dmp

Filesize
3.6MB

Download
memory/2368-148-0x0000000000400000-0x0000000002E8C000-memory.dmp

Filesize
42.5MB

Download
memory/2368-149-0x0000000000400000-0x0000000002E8C000-memory.dmp

Filesize
42.5MB

Download
memory/4968-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads