glupteba | d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4

Analysis

max time kernel
110s
max time network
74s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
14-09-2022 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Size

4.1MB
MD5

483204179798b2f9e670f4e33dbb36ab
SHA1

2de2faa14cdd4afd49cae7d39165d8938b08633f
SHA256

d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4
SHA512

7c627322c11914d2fd0d8a111d89866949b6af717c325810e43cb5e7c83f8d400684c1ba9d5ee8557fe4dc7a61f0cd4fb5427bab89e32fc328855979a79b82db
SSDEEP

98304:D3edQT+zqIEu3kQbWB1ZDHb7OBEeZJqnWmX8X+8jDffe:DudUkEhQYrrb7OKwgWmX8Xi

Score

10^/10

glupteba dropper evasion loader persistence trojan

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe = "0"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

4712 csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4584 netsh.exe

pid	process
4712	csrss.exe

pid	process
4584	netsh.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe = "0"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe

Drops file in Windows directory 2 IoCs

Processes:

d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe

description	ioc	process
File opened for modification	C:\Windows\rss	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
File created	C:\Windows\rss\csrss.exe	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exed34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe

pid	process
564	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
564	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe

description	pid	process
Token: SeDebugPrivilege	564	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
Token: SeImpersonatePrivilege	564	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.execmd.exe

description	pid	process	target process
PID 4836 wrote to memory of 4644	4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe	cmd.exe
PID 4836 wrote to memory of 4644	4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe	cmd.exe
PID 4644 wrote to memory of 4584	4644	cmd.exe	netsh.exe
PID 4644 wrote to memory of 4584	4644	cmd.exe	netsh.exe
PID 4836 wrote to memory of 4712	4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe	csrss.exe
PID 4836 wrote to memory of 4712	4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe	csrss.exe
PID 4836 wrote to memory of 4712	4836	d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
"C:\Users\Admin\AppData\Local\Temp\d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Users\Admin\AppData\Local\Temp\d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe
"C:\Users\Admin\AppData\Local\Temp\d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4.exe"
2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4584

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
PID:4712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
483204179798b2f9e670f4e33dbb36ab

SHA1
2de2faa14cdd4afd49cae7d39165d8938b08633f

SHA256
d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4

SHA512
7c627322c11914d2fd0d8a111d89866949b6af717c325810e43cb5e7c83f8d400684c1ba9d5ee8557fe4dc7a61f0cd4fb5427bab89e32fc328855979a79b82db

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
483204179798b2f9e670f4e33dbb36ab

SHA1
2de2faa14cdd4afd49cae7d39165d8938b08633f

SHA256
d34e51335f99f4bf86f00882ba35df9908ae2c5ebb23fc19629a34f6d35945b4

SHA512
7c627322c11914d2fd0d8a111d89866949b6af717c325810e43cb5e7c83f8d400684c1ba9d5ee8557fe4dc7a61f0cd4fb5427bab89e32fc328855979a79b82db

Download Submit
memory/564-120-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-121-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-122-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-123-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-124-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-125-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-126-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-127-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-128-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-129-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-130-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-131-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-132-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-134-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-133-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-136-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-138-0x0000000002A30000-0x0000000002E21000-memory.dmp

Filesize
3.9MB

Download
memory/564-137-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-139-0x0000000002E30000-0x00000000036A6000-memory.dmp

Filesize
8.5MB

Download
memory/564-140-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-141-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-142-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-143-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-144-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-145-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-147-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/564-146-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-148-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-149-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-150-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-151-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-152-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-153-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-154-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-155-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-156-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-157-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-158-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-159-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-160-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-161-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-162-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-163-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-164-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-165-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-166-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-167-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-168-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-169-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-170-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-171-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-172-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-173-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-174-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-175-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-177-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-176-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-178-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-180-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-179-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-181-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-182-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-183-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-184-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-185-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-186-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-187-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/564-247-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/564-251-0x0000000002E30000-0x00000000036A6000-memory.dmp

Filesize
8.5MB

Download
memory/4584-300-0x0000000000000000-mapping.dmp

Download
memory/4644-299-0x0000000000000000-mapping.dmp

Download
memory/4712-302-0x0000000000000000-mapping.dmp

Download
memory/4836-277-0x0000000002A60000-0x0000000002E53000-memory.dmp

Filesize
3.9MB

Download
memory/4836-281-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/4836-307-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download