glupteba | 485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7

Analysis

max time kernel
42s
max time network
45s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18-09-2022 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Size

4.1MB
MD5

edb11db6fc83fa3123e53b9c64f08a55
SHA1

19609a1b370963bfa561d31ea2b4850d4a2798c5
SHA256

485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7
SHA512

8f8e547788e809d8578118abd71ae95b12a595dcff3881b730b5cb8086245d4a8ac882cdda43d7247b932178e1f74dcf3415c3f8d9292767ea7b1a69dbd52f1f
SSDEEP

98304:8nTDGR79/XGczYc02HnTg13HrCm/9oZk4m4mSE2fe7J:WTiR71Xjj0BLC8P4fmN2Q

Score

10^/10

glupteba dropper evasion loader persistence trojan

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe = "0"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

4924 csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3976 netsh.exe

pid	process
4924	csrss.exe

pid	process
3976	netsh.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe = "0"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe

Drops file in Windows directory 2 IoCs

Processes:

485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe

description	ioc	process
File opened for modification	C:\Windows\rss	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
File created	C:\Windows\rss\csrss.exe	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2192 schtasks.exe

pid	process
2192	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe

pid	process
2384	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
2384	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe

description	pid	process
Token: SeDebugPrivilege	2384	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
Token: SeImpersonatePrivilege	2384	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.execmd.exe

description	pid	process	target process
PID 632 wrote to memory of 4280	632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe	cmd.exe
PID 632 wrote to memory of 4280	632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe	cmd.exe
PID 4280 wrote to memory of 3976	4280	cmd.exe	netsh.exe
PID 4280 wrote to memory of 3976	4280	cmd.exe	netsh.exe
PID 632 wrote to memory of 4924	632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe	csrss.exe
PID 632 wrote to memory of 4924	632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe	csrss.exe
PID 632 wrote to memory of 4924	632	485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
"C:\Users\Admin\AppData\Local\Temp\485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Users\Admin\AppData\Local\Temp\485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe
"C:\Users\Admin\AppData\Local\Temp\485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7.exe"
2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:3976

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
PID:4924

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2192

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
edb11db6fc83fa3123e53b9c64f08a55

SHA1
19609a1b370963bfa561d31ea2b4850d4a2798c5

SHA256
485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7

SHA512
8f8e547788e809d8578118abd71ae95b12a595dcff3881b730b5cb8086245d4a8ac882cdda43d7247b932178e1f74dcf3415c3f8d9292767ea7b1a69dbd52f1f

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
edb11db6fc83fa3123e53b9c64f08a55

SHA1
19609a1b370963bfa561d31ea2b4850d4a2798c5

SHA256
485efde0e891c1fc31bcbf4ba370954eace76ed21ddedcee0ab3a534b93acde7

SHA512
8f8e547788e809d8578118abd71ae95b12a595dcff3881b730b5cb8086245d4a8ac882cdda43d7247b932178e1f74dcf3415c3f8d9292767ea7b1a69dbd52f1f

Download Submit
memory/632-296-0x0000000002B60000-0x0000000002F4D000-memory.dmp

Filesize
3.9MB

Download
memory/632-297-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/632-307-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2384-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-124-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-156-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-157-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-127-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-138-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-139-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-141-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-142-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-144-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-145-0x0000000002A40000-0x0000000002E34000-memory.dmp

Filesize
4.0MB

Download
memory/2384-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-146-0x0000000002E40000-0x00000000036B6000-memory.dmp

Filesize
8.5MB

Download
memory/2384-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-149-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2384-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-152-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-153-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-154-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-158-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-122-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-159-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-160-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-161-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-162-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-164-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-165-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-167-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-168-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-169-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-170-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-171-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-172-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-173-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-174-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-175-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-176-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-177-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-179-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-178-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-180-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-181-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-182-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-183-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-184-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-185-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-186-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-187-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-249-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2384-120-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/3976-299-0x0000000000000000-mapping.dmp

Download
memory/4280-298-0x0000000000000000-mapping.dmp

Download
memory/4924-301-0x0000000000000000-mapping.dmp

Download
memory/4924-324-0x0000000002E00000-0x00000000031EA000-memory.dmp

Filesize
3.9MB

Download