glupteba | dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08

General

Target

dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Size

5.0MB
MD5

ca4b4c1d1446f489b86d26437a0eb7ee
SHA1

7fb5c07d3f6658e12a35da6d98c57e9d8427d47d
SHA256

dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08
SHA512

7847515ad733efdf9fa60139563980f6c6ed79dc944d5624857a64d9a073a7341a5dbc5e4f423bdfc7e5cd88cce25fbb39ab2d6c171c14845e9fee6b18d5f176
SSDEEP

98304:RlLfucpPn8x3xZNcU2UgWZEbS6h/klBbp3FZW3tLIfxtGheHLNROgBTd:Rl/Bwfc7uF3btRUq

Score

10^/10

glupteba dropper evasion loader persistence trojan

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1980-57-0x0000000000400000-0x0000000001114000-memory.dmp	family_glupteba
behavioral1/memory/1980-59-0x0000000000400000-0x0000000001114000-memory.dmp	family_glupteba
behavioral1/memory/1980-61-0x0000000000400000-0x0000000001114000-memory.dmp	family_glupteba
behavioral1/memory/328-64-0x0000000000400000-0x0000000001114000-memory.dmp	family_glupteba
behavioral1/memory/328-72-0x0000000000400000-0x0000000001114000-memory.dmp	family_glupteba
behavioral1/memory/1700-76-0x0000000000400000-0x0000000001114000-memory.dmp	family_glupteba
behavioral1/memory/1700-81-0x0000000000400000-0x0000000001114000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\cloudnet.exe = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\CoolSunset = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

1700 csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1964 netsh.exe

pid	process
1700	csrss.exe

pid	process
1964	netsh.exe

Loads dropped DLL 2 IoCs

Processes:

dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

pid	process
328	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
328	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\CoolSunset = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\cloudnet.exe = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\CoolSunset = "\"C:\\Windows\\rss\\csrss.exe\""	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

Drops file in System32 directory 5 IoCs

Processes:

csrss.exedd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

Drops file in Windows directory 3 IoCs

Processes:

makecab.exedd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20230129184342.cab	makecab.exe
File opened for modification	C:\Windows\rss	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
File created	C:\Windows\rss\csrss.exe	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 14 Go-http-client/1.1
HTTP User-Agent header 18 Go-http-client/1.1
HTTP User-Agent header 24 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	14	Go-http-client/1.1
HTTP User-Agent header	18	Go-http-client/1.1
HTTP User-Agent header	24	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

Processes:

dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.execsrss.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exedd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exedd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

pid	process
1980	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
1980	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
1980	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
1980	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
328	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
328	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
328	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

description	pid	process
Token: SeDebugPrivilege	1980	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
Token: SeImpersonatePrivilege	1980	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.execmd.exe

description	pid	process	target process
PID 328 wrote to memory of 1916	328	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe	cmd.exe
PID 328 wrote to memory of 1916	328	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe	cmd.exe
PID 328 wrote to memory of 1916	328	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe	cmd.exe
PID 328 wrote to memory of 1916	328	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe	cmd.exe
PID 1916 wrote to memory of 1964	1916	cmd.exe	netsh.exe
PID 1916 wrote to memory of 1964	1916	cmd.exe	netsh.exe
PID 1916 wrote to memory of 1964	1916	cmd.exe	netsh.exe
PID 328 wrote to memory of 1700	328	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe	csrss.exe
PID 328 wrote to memory of 1700	328	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe	csrss.exe
PID 328 wrote to memory of 1700	328	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe	csrss.exe
PID 328 wrote to memory of 1700	328	dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
"C:\Users\Admin\AppData\Local\Temp\dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Users\Admin\AppData\Local\Temp\dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
"C:\Users\Admin\AppData\Local\Temp\dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe"
2⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1964

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1700

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230129184342.log C:\Windows\Logs\CBS\CbsPersist_20230129184342.cab
1⤵
- Drops file in Windows directory
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

4

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
912a995b35ffe1dbb9832a7ac6a534b8

SHA1
bdf6698f68b41e93598a5048505540c60aa18f3f

SHA256
c72497900a5ba580a8813b66eeb3ba1e41801ac0f846a438b789508fa3e99842

SHA512
cfe8455471efbeaa72c07c16f53d207b720f89f45fa06a1529872df4b1e6a2831f0ff13863a93e12341696b49f477d053c9dd8cef811e475e472a79ce273d5cd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
61893fec423f071e86e444f7b358c962

SHA1
4df4775bff537b91bcf859c6813a919b7f106261

SHA256
2be8b72fcdba813d5d9a1d425c8a6ddc32d42ed6a3bb8ab5eba8c2857e817589

SHA512
db0c6b6c581e3056b2aa3d7e6da1a8afbe18b8f5103b8c98c0f26b9633d73530932e3ae10afd7c43a845fff3d982ea591bc6d111edd4722e6249fa8d1270a508

Download Submit
C:\Windows\rss\csrss.exe
Filesize
5.0MB

MD5
ca4b4c1d1446f489b86d26437a0eb7ee

SHA1
7fb5c07d3f6658e12a35da6d98c57e9d8427d47d

SHA256
dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08

SHA512
7847515ad733efdf9fa60139563980f6c6ed79dc944d5624857a64d9a073a7341a5dbc5e4f423bdfc7e5cd88cce25fbb39ab2d6c171c14845e9fee6b18d5f176

Download Submit
\Windows\rss\csrss.exe
Filesize
5.0MB

MD5
ca4b4c1d1446f489b86d26437a0eb7ee

SHA1
7fb5c07d3f6658e12a35da6d98c57e9d8427d47d

SHA256
dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08

SHA512
7847515ad733efdf9fa60139563980f6c6ed79dc944d5624857a64d9a073a7341a5dbc5e4f423bdfc7e5cd88cce25fbb39ab2d6c171c14845e9fee6b18d5f176

Download Submit
\Windows\rss\csrss.exe
Filesize
5.0MB

MD5
ca4b4c1d1446f489b86d26437a0eb7ee

SHA1
7fb5c07d3f6658e12a35da6d98c57e9d8427d47d

SHA256
dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08

SHA512
7847515ad733efdf9fa60139563980f6c6ed79dc944d5624857a64d9a073a7341a5dbc5e4f423bdfc7e5cd88cce25fbb39ab2d6c171c14845e9fee6b18d5f176

Download Submit
memory/328-72-0x0000000000400000-0x0000000001114000-memory.dmp

Filesize
13.1MB

Download
memory/328-60-0x0000000000400000-0x0000000001114000-memory.dmp

Filesize
13.1MB

Download
memory/328-62-0x0000000002E60000-0x000000000332A000-memory.dmp

Filesize
4.8MB

Download
memory/328-63-0x0000000002E60000-0x00000000031F8000-memory.dmp

Filesize
3.6MB

Download
memory/328-64-0x0000000000400000-0x0000000001114000-memory.dmp

Filesize
13.1MB

Download
memory/1700-75-0x0000000003010000-0x00000000033A8000-memory.dmp

Filesize
3.6MB

Download
memory/1700-76-0x0000000000400000-0x0000000001114000-memory.dmp

Filesize
13.1MB

Download
memory/1700-81-0x0000000000400000-0x0000000001114000-memory.dmp

Filesize
13.1MB

Download
memory/1700-70-0x0000000000000000-mapping.dmp

Download
memory/1700-74-0x0000000003010000-0x00000000034DA000-memory.dmp

Filesize
4.8MB

Download
memory/1700-73-0x0000000000400000-0x0000000001114000-memory.dmp

Filesize
13.1MB

Download
memory/1916-65-0x0000000000000000-mapping.dmp

Download
memory/1964-67-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

Filesize
8KB

Download
memory/1964-66-0x0000000000000000-mapping.dmp

Download
memory/1980-59-0x0000000000400000-0x0000000001114000-memory.dmp

Filesize
13.1MB

Download
memory/1980-61-0x0000000000400000-0x0000000001114000-memory.dmp

Filesize
13.1MB

Download
memory/1980-54-0x0000000000400000-0x0000000001114000-memory.dmp

Filesize
13.1MB

Download
memory/1980-58-0x00000000030C0000-0x0000000003458000-memory.dmp

Filesize
3.6MB

Download
memory/1980-57-0x0000000000400000-0x0000000001114000-memory.dmp

Filesize
13.1MB

Download
memory/1980-56-0x00000000030C0000-0x0000000003458000-memory.dmp

Filesize
3.6MB

Download
memory/1980-55-0x00000000030C0000-0x000000000358A000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads