glupteba | 11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa

Analysis

max time kernel
108s
max time network
55s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
13-09-2022 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Size

4.1MB
MD5

a32fa374368a7a615542db4a739eac21
SHA1

db39900cd1c6787d2b5dde76c6cb235011314eda
SHA256

11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa
SHA512

b86f6a044b5728f39b925b29876f969790006bc9410748cec89abb8948fc34b7cd0a40824b875600196b594f5273de94b3672bcf589adc19da2291bc10477a05
SSDEEP

98304:wRQn3kzYpzOmvMKXh0zVMlpa5cKI8/abTpqmBA:cMcKzvx0zylpa5nItUmBA

Score

10^/10

glupteba dropper evasion loader persistence trojan

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe = "0"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

4696 csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3768 netsh.exe

pid	process
4696	csrss.exe

pid	process
3768	netsh.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe = "0"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe

Drops file in Windows directory 2 IoCs

Processes:

11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe

description	ioc	process
File opened for modification	C:\Windows\rss	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
File created	C:\Windows\rss\csrss.exe	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe

pid	process
2656	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
2656	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe

description	pid	process
Token: SeDebugPrivilege	2656	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
Token: SeImpersonatePrivilege	2656	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.execmd.exe

description	pid	process	target process
PID 2476 wrote to memory of 4364	2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe	cmd.exe
PID 2476 wrote to memory of 4364	2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe	cmd.exe
PID 4364 wrote to memory of 3768	4364	cmd.exe	netsh.exe
PID 4364 wrote to memory of 3768	4364	cmd.exe	netsh.exe
PID 2476 wrote to memory of 4696	2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe	csrss.exe
PID 2476 wrote to memory of 4696	2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe	csrss.exe
PID 2476 wrote to memory of 4696	2476	11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
"C:\Users\Admin\AppData\Local\Temp\11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
- C:\Users\Admin\AppData\Local\Temp\11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe
  "C:\Users\Admin\AppData\Local\Temp\11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa.exe"
  2⤵
  - Windows security bypass
  - Windows security modification
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\System32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:3768
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    PID:4696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
a32fa374368a7a615542db4a739eac21

SHA1
db39900cd1c6787d2b5dde76c6cb235011314eda

SHA256
11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa

SHA512
b86f6a044b5728f39b925b29876f969790006bc9410748cec89abb8948fc34b7cd0a40824b875600196b594f5273de94b3672bcf589adc19da2291bc10477a05

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
a32fa374368a7a615542db4a739eac21

SHA1
db39900cd1c6787d2b5dde76c6cb235011314eda

SHA256
11b2f56d212b371ee16697f0dd4aa322ba27962251b643e383e44a0ecc526afa

SHA512
b86f6a044b5728f39b925b29876f969790006bc9410748cec89abb8948fc34b7cd0a40824b875600196b594f5273de94b3672bcf589adc19da2291bc10477a05

Download Submit
memory/2476-270-0x0000000002AF0000-0x0000000002EDA000-memory.dmp

Filesize
3.9MB

Download
memory/2476-273-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2476-306-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2656-155-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-126-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-123-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-156-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-125-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-157-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-127-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-128-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-129-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-130-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-131-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-132-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-133-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-134-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-136-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-137-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-138-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-139-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-140-0x0000000002BE0000-0x0000000002FD9000-memory.dmp

Filesize
4.0MB

Download
memory/2656-141-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-142-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-143-0x0000000002FE0000-0x0000000003856000-memory.dmp

Filesize
8.5MB

Download
memory/2656-144-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-146-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2656-147-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-145-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-148-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-149-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-150-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-151-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-152-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-153-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-154-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-121-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-124-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-158-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-122-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-159-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-160-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-161-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-162-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-163-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-164-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-165-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-167-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-166-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-168-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-169-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-170-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-171-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-172-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-173-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-174-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-175-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-176-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-177-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-178-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-179-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-180-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-181-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-182-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-183-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-184-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-185-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-186-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-187-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-246-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2656-120-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3768-299-0x0000000000000000-mapping.dmp

Download
memory/4364-298-0x0000000000000000-mapping.dmp

Download
memory/4696-301-0x0000000000000000-mapping.dmp

Download