glupteba | 47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e

Analysis

max time kernel
17s
max time network
20s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
25-09-2022 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Size

4.0MB
MD5

decce0895e67a1144325bccf47b0df54
SHA1

2bce05c38ec88e2631131c07f550551884a52794
SHA256

47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e
SHA512

1ed40aa4d9fe0ebfe05c8b3853a05a9524ad2e672ad5750890ef41d8d07c8f92ec49615ed78a12f94fc1cbb30534beb62cee64ba6b50803ab79a834347490937
SSDEEP

98304:HG+lE+suXJeA/t811sh23qa5gcstC3+g8emppTpvplZjW:VljsuXJeA/u11mUGn/pTnlZjW

Score

10^/10

glupteba dropper evasion loader persistence trojan

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe = "0"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

4732 csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4684 netsh.exe

pid	process
4732	csrss.exe

pid	process
4684	netsh.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe = "0"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe

Drops file in Windows directory 2 IoCs

Processes:

47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe

description	ioc	process
File opened for modification	C:\Windows\rss	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
File created	C:\Windows\rss\csrss.exe	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

312 schtasks.exe

pid	process
312	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe

pid	process
4372	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
4372	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe

description	pid	process
Token: SeDebugPrivilege	4372	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
Token: SeImpersonatePrivilege	4372	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.execmd.exe

description	pid	process	target process
PID 4208 wrote to memory of 4248	4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe	cmd.exe
PID 4208 wrote to memory of 4248	4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe	cmd.exe
PID 4248 wrote to memory of 4684	4248	cmd.exe	netsh.exe
PID 4248 wrote to memory of 4684	4248	cmd.exe	netsh.exe
PID 4208 wrote to memory of 4732	4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe	csrss.exe
PID 4208 wrote to memory of 4732	4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe	csrss.exe
PID 4208 wrote to memory of 4732	4208	47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
"C:\Users\Admin\AppData\Local\Temp\47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Users\Admin\AppData\Local\Temp\47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe
"C:\Users\Admin\AppData\Local\Temp\47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e.exe"
2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4684

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
PID:4732

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:312

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:3336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
4.0MB

MD5
decce0895e67a1144325bccf47b0df54

SHA1
2bce05c38ec88e2631131c07f550551884a52794

SHA256
47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e

SHA512
1ed40aa4d9fe0ebfe05c8b3853a05a9524ad2e672ad5750890ef41d8d07c8f92ec49615ed78a12f94fc1cbb30534beb62cee64ba6b50803ab79a834347490937

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.0MB

MD5
decce0895e67a1144325bccf47b0df54

SHA1
2bce05c38ec88e2631131c07f550551884a52794

SHA256
47845ecef81eb10e6caf3f793c528b80021c5360014bffb8edaeaf1c29d2fd5e

SHA512
1ed40aa4d9fe0ebfe05c8b3853a05a9524ad2e672ad5750890ef41d8d07c8f92ec49615ed78a12f94fc1cbb30534beb62cee64ba6b50803ab79a834347490937

Download Submit
memory/4208-294-0x0000000002AC0000-0x0000000002EAD000-memory.dmp

Filesize
3.9MB

Download
memory/4208-295-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/4208-301-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/4248-292-0x0000000000000000-mapping.dmp

Download
memory/4372-150-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-122-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-119-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-120-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-152-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-153-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-123-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-124-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-125-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-126-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-127-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-128-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-129-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-130-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-132-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-133-0x0000000002A50000-0x0000000002E3C000-memory.dmp

Filesize
3.9MB

Download
memory/4372-134-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-135-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-136-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-137-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-138-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-139-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-141-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-140-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-143-0x0000000002E40000-0x00000000036B6000-memory.dmp

Filesize
8.5MB

Download
memory/4372-142-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-144-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-145-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-148-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-147-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/4372-146-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-149-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-117-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-151-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-154-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-118-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-121-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-155-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-156-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-157-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-158-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-159-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-160-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-161-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-162-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-163-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-164-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-165-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-166-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-167-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-168-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-169-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-170-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-171-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-172-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-173-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-174-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-175-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-177-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-178-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-176-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-179-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-180-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-181-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-182-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-183-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4372-241-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/4372-116-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4684-293-0x0000000000000000-mapping.dmp

Download
memory/4732-297-0x0000000000000000-mapping.dmp

Download
memory/4732-357-0x0000000002F00000-0x00000000032EA000-memory.dmp

Filesize
3.9MB

Download
memory/4732-359-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download