glupteba | ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2

Analysis

max time kernel
18s
max time network
20s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
16-09-2022 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Size

4.1MB
MD5

1a4bcb40af1bb4c1e26878ae271ede1d
SHA1

37bc8495655e783f7db3b6db02e4459ee675d0f5
SHA256

ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2
SHA512

8260e0f808f6315cf89c60243154334bac3da8328a45b2eb98278f1add77e276a8d5fab47f484d93d04da25e37e4f56388a0531ed738c006b629525f589a4c25
SSDEEP

98304:fQjJyFTrdbXEoxca+Tx+tAyFyGgyThpPui74YSEemXWT4ju2X3x:oVyrklx+JFVTht745EtmMzB

Score

10^/10

glupteba dropper evasion loader persistence trojan

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe = "0"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

3684 csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4644 netsh.exe

pid	process
3684	csrss.exe

pid	process
4644	netsh.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe = "0"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe

Drops file in Windows directory 2 IoCs

Processes:

ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe

description	ioc	process
File opened for modification	C:\Windows\rss	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
File created	C:\Windows\rss\csrss.exe	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

496 schtasks.exe

pid	process
496	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exeee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe

pid	process
2700	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
2700	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe

description	pid	process
Token: SeDebugPrivilege	2700	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
Token: SeImpersonatePrivilege	2700	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.execmd.exe

description	pid	process	target process
PID 2284 wrote to memory of 3180	2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe	cmd.exe
PID 2284 wrote to memory of 3180	2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe	cmd.exe
PID 3180 wrote to memory of 4644	3180	cmd.exe	netsh.exe
PID 3180 wrote to memory of 4644	3180	cmd.exe	netsh.exe
PID 2284 wrote to memory of 3684	2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe	csrss.exe
PID 2284 wrote to memory of 3684	2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe	csrss.exe
PID 2284 wrote to memory of 3684	2284	ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
"C:\Users\Admin\AppData\Local\Temp\ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Users\Admin\AppData\Local\Temp\ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe
"C:\Users\Admin\AppData\Local\Temp\ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2.exe"
2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4644

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
PID:3684

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:496

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
1a4bcb40af1bb4c1e26878ae271ede1d

SHA1
37bc8495655e783f7db3b6db02e4459ee675d0f5

SHA256
ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2

SHA512
8260e0f808f6315cf89c60243154334bac3da8328a45b2eb98278f1add77e276a8d5fab47f484d93d04da25e37e4f56388a0531ed738c006b629525f589a4c25

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
1a4bcb40af1bb4c1e26878ae271ede1d

SHA1
37bc8495655e783f7db3b6db02e4459ee675d0f5

SHA256
ee3c7c9b2bfba92db46b8270a49c65c3d661f3064cb8866d7f5ec25f2c5af1c2

SHA512
8260e0f808f6315cf89c60243154334bac3da8328a45b2eb98278f1add77e276a8d5fab47f484d93d04da25e37e4f56388a0531ed738c006b629525f589a4c25

Download Submit
memory/2284-293-0x00000000029D0000-0x0000000002DC7000-memory.dmp

Filesize
4.0MB

Download
memory/2284-294-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2284-301-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2700-151-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-159-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-119-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-120-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-121-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-154-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-123-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-124-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-125-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-126-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-127-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-128-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-129-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-130-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-131-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-133-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-134-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-135-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-137-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-136-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-140-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-138-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-139-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-141-0x0000000002BB0000-0x0000000002F9C000-memory.dmp

Filesize
3.9MB

Download
memory/2700-142-0x0000000002FA0000-0x0000000003816000-memory.dmp

Filesize
8.5MB

Download
memory/2700-143-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-144-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-145-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2700-146-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-147-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-148-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-149-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-150-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-117-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-152-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-153-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-122-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-155-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-118-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-157-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-158-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-156-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-160-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-161-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-162-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-163-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-164-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-165-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-166-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-167-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-168-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-169-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-171-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-172-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-173-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-174-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-175-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-176-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-170-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-178-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-177-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-179-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-180-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-181-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-182-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-183-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-244-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2700-116-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/3180-292-0x0000000000000000-mapping.dmp

Download
memory/3684-297-0x0000000000000000-mapping.dmp

Download
memory/3684-359-0x0000000002F00000-0x00000000032EA000-memory.dmp

Filesize
3.9MB

Download
memory/3684-360-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/4644-295-0x0000000000000000-mapping.dmp

Download