glupteba | 8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990

General

Target

8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Size

4.1MB
MD5

dca4d95d96153f66c493696ac564ef42
SHA1

9710719d6b895e7fc27f2bb9d4bd1fab68aee17f
SHA256

8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990
SHA512

5d29f04e5780b82a16fe909f25c6e9f2699bb1d8d9174a1661d03f1822355d9108db014bc127712f7ec81cb2ce612ec0bd959380f70ff613e9d2e19a0bbd214d
SSDEEP

98304:6AZs8Is3Ux2NclzGImsasArZdP5jvcsL4HZWx/5pqT/X:Z6sjNclzGImsasAddPZ1O+k

Score

10^/10

glupteba discovery dropper evasion loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 1936 created 4972	1936	svchost.exe	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
PID 1936 created 2540	1936	svchost.exe	csrss.exe
PID 1936 created 2540	1936	svchost.exe	csrss.exe
PID 1936 created 2540	1936	svchost.exe	csrss.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.exeinjector.exe

pid process

2540 csrss.exe
4372 injector.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4708 netsh.exe

pid	process
2540	csrss.exe
4372	injector.exe

pid	process
4708	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

Processes:

8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe

description	ioc	process
File opened for modification	C:\Windows\rss	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
File created	C:\Windows\rss\csrss.exe	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3092 4828 WerFault.exe 8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4784 schtasks.exe
3020 schtasks.exe

pid	pid_target	process	target process
3092	4828	WerFault.exe	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe

pid	process
4784	schtasks.exe
3020	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exeinjector.execsrss.exe

pid	process
4972	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
4972	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
2540	csrss.exe
2540	csrss.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
2540	csrss.exe
2540	csrss.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe
4372	injector.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exesvchost.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	4972	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Token: SeImpersonatePrivilege	4972	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
Token: SeTcbPrivilege	1936	svchost.exe
Token: SeTcbPrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe
Token: SeSystemEnvironmentPrivilege	2540	csrss.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

svchost.exe8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.execmd.execsrss.exe

description	pid	process	target process
PID 1936 wrote to memory of 4828	1936	svchost.exe	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
PID 1936 wrote to memory of 4828	1936	svchost.exe	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
PID 1936 wrote to memory of 4828	1936	svchost.exe	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
PID 4828 wrote to memory of 4208	4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe	cmd.exe
PID 4828 wrote to memory of 4208	4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe	cmd.exe
PID 4208 wrote to memory of 4708	4208	cmd.exe	netsh.exe
PID 4208 wrote to memory of 4708	4208	cmd.exe	netsh.exe
PID 4828 wrote to memory of 2540	4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe	csrss.exe
PID 4828 wrote to memory of 2540	4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe	csrss.exe
PID 4828 wrote to memory of 2540	4828	8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe	csrss.exe
PID 1936 wrote to memory of 4784	1936	svchost.exe	schtasks.exe
PID 1936 wrote to memory of 4784	1936	svchost.exe	schtasks.exe
PID 1936 wrote to memory of 3056	1936	svchost.exe	schtasks.exe
PID 1936 wrote to memory of 3056	1936	svchost.exe	schtasks.exe
PID 2540 wrote to memory of 4372	2540	csrss.exe	injector.exe
PID 2540 wrote to memory of 4372	2540	csrss.exe	injector.exe
PID 1936 wrote to memory of 3020	1936	svchost.exe	schtasks.exe
PID 1936 wrote to memory of 3020	1936	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
"C:\Users\Admin\AppData\Local\Temp\8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Users\Admin\AppData\Local\Temp\8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe
"C:\Users\Admin\AppData\Local\Temp\8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4708

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4784

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4372

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 768
3⤵
- Program crash
PID:3092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4828 -ip 4828
1⤵
PID:3376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
dca4d95d96153f66c493696ac564ef42

SHA1
9710719d6b895e7fc27f2bb9d4bd1fab68aee17f

SHA256
8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990

SHA512
5d29f04e5780b82a16fe909f25c6e9f2699bb1d8d9174a1661d03f1822355d9108db014bc127712f7ec81cb2ce612ec0bd959380f70ff613e9d2e19a0bbd214d

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
dca4d95d96153f66c493696ac564ef42

SHA1
9710719d6b895e7fc27f2bb9d4bd1fab68aee17f

SHA256
8d4cf5db6f4c8f127e54442ce8ca74670ffe64b304c6bc93c8648d0792fa7990

SHA512
5d29f04e5780b82a16fe909f25c6e9f2699bb1d8d9174a1661d03f1822355d9108db014bc127712f7ec81cb2ce612ec0bd959380f70ff613e9d2e19a0bbd214d

Download Submit
memory/2540-147-0x0000000002E00000-0x00000000031E9000-memory.dmp

Filesize
3.9MB

Download
memory/2540-153-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2540-141-0x0000000000000000-mapping.dmp

Download
memory/2540-148-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/3020-152-0x0000000000000000-mapping.dmp

Download
memory/3056-146-0x0000000000000000-mapping.dmp

Download
memory/4208-137-0x0000000000000000-mapping.dmp

Download
memory/4372-149-0x0000000000000000-mapping.dmp

Download
memory/4708-138-0x0000000000000000-mapping.dmp

Download
memory/4784-145-0x0000000000000000-mapping.dmp

Download
memory/4828-144-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/4828-135-0x0000000000000000-mapping.dmp

Download
memory/4828-140-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/4828-139-0x0000000002915000-0x0000000002CFE000-memory.dmp

Filesize
3.9MB

Download
memory/4972-132-0x0000000002ADD000-0x0000000002EC6000-memory.dmp

Filesize
3.9MB

Download
memory/4972-134-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/4972-136-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/4972-133-0x0000000002ED0000-0x0000000003747000-memory.dmp

Filesize
8.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads