Behavioral Report

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 16:50

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Size

3MB
MD5

b7c494f516b0b4e3646ceeb07ff0f3bd
SHA1

153feb9c47d668600ad9770898b03227467719d2
SHA256

1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c
SHA512

f1fb618d9f243c23b3a6fd8ddcbd6c090eb91a0c82a3069b0b79afee674217d0e2b8408a1b1eb0badfbb9505b99de6936d324b7f8db6ea7648a9ac832c9d5318
SSDEEP

98304:TorSjpqCjRWs+aS/uZR88eK2ShU0NCUFSNTEaxJepw5ZV/iBQ1v:TfjphtWs+aS/udeLShU0VYTqqxiK

Score

10^/10

glupteba discovery dropper evasion loader persistence upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 2012 created 4960	2012	svchost.exe	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
PID 2012 created 1832	2012	svchost.exe	csrss.exe
PID 2012 created 1832	2012	svchost.exe	csrss.exe
PID 2012 created 1832	2012	svchost.exe	csrss.exe
PID 2012 created 1624	2012	svchost.exe	f801950a962ddba14caaa44bf084b55c.exe
PID 2012 created 1624	2012	svchost.exe	f801950a962ddba14caaa44bf084b55c.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

TTPs:

Modify Existing Service

Processes:

netsh.exe

pid process

220 netsh.exe
Executes dropped EXE 3 IoCs

Processes:

csrss.exeinjector.exef801950a962ddba14caaa44bf084b55c.exe

pid process

1832 csrss.exe
492 injector.exe
1624 f801950a962ddba14caaa44bf084b55c.exe

pid	process
220	netsh.exe

pid	process
1832	csrss.exe
492	injector.exe
1624	f801950a962ddba14caaa44bf084b55c.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000300000000071d-155.dat	upx
behavioral1/files/0x000300000000071d-156.dat	upx
behavioral1/memory/1624-157-0x0000000000400000-0x0000000000C25000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

TTPs:

Query Registry

Drops file in Windows directory 2 IoCs

Processes:

1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe

description	ioc	process
File opened for modification	C:\Windows\rss	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
File created	C:\Windows\rss\csrss.exe	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

TTPs:

Scheduled Task

Processes:

schtasks.exeschtasks.exe

pid process

3904 schtasks.exe
2300 schtasks.exe

pid	process
3904	schtasks.exe
2300	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exeinjector.execsrss.exe

pid	process
4960	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
4960	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
1832	csrss.exe
1832	csrss.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
1832	csrss.exe
1832	csrss.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe
492	injector.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exesvchost.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	4960	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Token: SeImpersonatePrivilege	4960	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
Token: SeTcbPrivilege	2012	svchost.exe
Token: SeTcbPrivilege	2012	svchost.exe
Token: SeBackupPrivilege	2012	svchost.exe
Token: SeRestorePrivilege	2012	svchost.exe
Token: SeBackupPrivilege	2012	svchost.exe
Token: SeRestorePrivilege	2012	svchost.exe
Token: SeSystemEnvironmentPrivilege	1832	csrss.exe
Token: SeBackupPrivilege	2012	svchost.exe
Token: SeRestorePrivilege	2012	svchost.exe
Token: SeBackupPrivilege	2012	svchost.exe
Token: SeRestorePrivilege	2012	svchost.exe
Token: SeBackupPrivilege	2012	svchost.exe
Token: SeRestorePrivilege	2012	svchost.exe
Token: SeBackupPrivilege	2012	svchost.exe
Token: SeRestorePrivilege	2012	svchost.exe
Token: SeBackupPrivilege	2012	svchost.exe
Token: SeRestorePrivilege	2012	svchost.exe
Token: SeBackupPrivilege	2012	svchost.exe
Token: SeRestorePrivilege	2012	svchost.exe
Token: SeBackupPrivilege	2012	svchost.exe
Token: SeRestorePrivilege	2012	svchost.exe
Token: SeBackupPrivilege	2012	svchost.exe
Token: SeRestorePrivilege	2012	svchost.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

svchost.exe1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.execmd.execsrss.exe

description	pid	process	target process
PID 2012 wrote to memory of 1940	2012	svchost.exe	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
PID 2012 wrote to memory of 1940	2012	svchost.exe	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
PID 2012 wrote to memory of 1940	2012	svchost.exe	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe
PID 1940 wrote to memory of 2212	1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe	cmd.exe
PID 1940 wrote to memory of 2212	1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe	cmd.exe
PID 2212 wrote to memory of 220	2212	cmd.exe	netsh.exe
PID 2212 wrote to memory of 220	2212	cmd.exe	netsh.exe
PID 1940 wrote to memory of 1832	1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe	csrss.exe
PID 1940 wrote to memory of 1832	1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe	csrss.exe
PID 1940 wrote to memory of 1832	1940	1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe	csrss.exe
PID 2012 wrote to memory of 3904	2012	svchost.exe	schtasks.exe
PID 2012 wrote to memory of 3904	2012	svchost.exe	schtasks.exe
PID 2012 wrote to memory of 3792	2012	svchost.exe	schtasks.exe
PID 2012 wrote to memory of 3792	2012	svchost.exe	schtasks.exe
PID 1832 wrote to memory of 492	1832	csrss.exe	injector.exe
PID 1832 wrote to memory of 492	1832	csrss.exe	injector.exe
PID 2012 wrote to memory of 2300	2012	svchost.exe	schtasks.exe
PID 2012 wrote to memory of 2300	2012	svchost.exe	schtasks.exe
PID 1832 wrote to memory of 1624	1832	csrss.exe	f801950a962ddba14caaa44bf084b55c.exe
PID 1832 wrote to memory of 1624	1832	csrss.exe	f801950a962ddba14caaa44bf084b55c.exe
PID 1832 wrote to memory of 1624	1832	csrss.exe	f801950a962ddba14caaa44bf084b55c.exe
PID 2012 wrote to memory of 2276	2012	svchost.exe	schtasks.exe
PID 2012 wrote to memory of 2276	2012	svchost.exe	schtasks.exe
PID 2012 wrote to memory of 3196	2012	svchost.exe	schtasks.exe
PID 2012 wrote to memory of 3196	2012	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe

"C:\Users\Admin\AppData\Local\Temp\1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe"

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:4960

C:\Users\Admin\AppData\Local\Temp\1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe

"C:\Users\Admin\AppData\Local\Temp\1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c.exe"

Adds Run key to start application
Drops file in Windows directory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory

PID:1940

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

Suspicious use of WriteProcessMemory

PID:2212

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

Modifies Windows Firewall

PID:220

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

Executes dropped EXE
Adds Run key to start application
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1832

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Creates scheduled task(s)

PID:3904

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

PID:3792

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Executes dropped EXE
Suspicious behavior: EnumeratesProcesses

PID:492

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Creates scheduled task(s)

PID:2300

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Executes dropped EXE

PID:1624

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "csrss" /f

PID:2276

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

PID:3196

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

Suspicious use of NtCreateUserProcessOtherParentProcess
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:2012

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

T1112

Discovery

Query Registry

T1012

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
Filesize
3MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
Filesize
3MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3MB

MD5
b7c494f516b0b4e3646ceeb07ff0f3bd

SHA1
153feb9c47d668600ad9770898b03227467719d2

SHA256
1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c

SHA512
f1fb618d9f243c23b3a6fd8ddcbd6c090eb91a0c82a3069b0b79afee674217d0e2b8408a1b1eb0badfbb9505b99de6936d324b7f8db6ea7648a9ac832c9d5318

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3MB

MD5
b7c494f516b0b4e3646ceeb07ff0f3bd

SHA1
153feb9c47d668600ad9770898b03227467719d2

SHA256
1833d7fb6a31928e5af15de08640a993598d3335a7893807ed21a5e075b1b48c

SHA512
f1fb618d9f243c23b3a6fd8ddcbd6c090eb91a0c82a3069b0b79afee674217d0e2b8408a1b1eb0badfbb9505b99de6936d324b7f8db6ea7648a9ac832c9d5318

Download Submit
memory/220-138-0x0000000000000000-mapping.dmp

Download
memory/492-149-0x0000000000000000-mapping.dmp

Download
memory/1624-154-0x0000000000000000-mapping.dmp

Download
memory/1624-157-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8MB

Download
memory/1832-152-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8MB

Download
memory/1832-141-0x0000000000000000-mapping.dmp

Download
memory/1832-158-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8MB

Download
memory/1832-145-0x0000000002E00000-0x00000000031E9000-memory.dmp

Filesize
3MB

Download
memory/1832-146-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8MB

Download
memory/1940-139-0x00000000029DD000-0x0000000002DC6000-memory.dmp

Filesize
3MB

Download
memory/1940-140-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8MB

Download
memory/1940-135-0x0000000000000000-mapping.dmp

Download
memory/1940-144-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8MB

Download
memory/2212-137-0x0000000000000000-mapping.dmp

Download
memory/2276-159-0x0000000000000000-mapping.dmp

Download
memory/2300-153-0x0000000000000000-mapping.dmp

Download
memory/3196-160-0x0000000000000000-mapping.dmp

Download
memory/3792-148-0x0000000000000000-mapping.dmp

Download
memory/3904-147-0x0000000000000000-mapping.dmp

Download
memory/4960-132-0x0000000002B1E000-0x0000000002F07000-memory.dmp

Filesize
3MB

Download
memory/4960-136-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8MB

Download
memory/4960-134-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8MB

Download
memory/4960-133-0x0000000002F10000-0x0000000003787000-memory.dmp

Filesize
8MB

Download