glupteba | 7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70

Analysis

max time kernel
138s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16/02/2023, 08:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Size

4.0MB
MD5

1b221846fef3bd24482b9593f95a9416
SHA1

29a18e68b60fa3e67af101401e49dee01cc00b1b
SHA256

7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70
SHA512

b81ecf6740b671e3763a75226318a215d2986667f147285e08d65d3d7e2d9d00fbe8182cedf033172fd4d3b8e4b6dfd483db9e6548f25ea47479875c0b3d7818
SSDEEP

98304:40HPKDuRvdKbwblvaSV7vedE7n0vvldXbZp/qrdp4:eQIb2lvp7GdEbSllbn/l

Score

10^/10

glupteba discovery dropper evasion loader persistence upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 2232 created 3036	2232	svchost.exe	83
PID 2232 created 4268	2232	svchost.exe	93
PID 2232 created 4268	2232	svchost.exe	93
PID 2232 created 4268	2232	svchost.exe	93
PID 2232 created 2284	2232	svchost.exe	105
PID 2232 created 2284	2232	svchost.exe	105

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4792	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
4268	csrss.exe
2452	injector.exe
2284	f801950a962ddba14caaa44bf084b55c.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000300000001e5a3-155.dat	upx
behavioral1/memory/2284-156-0x0000000000400000-0x0000000000C25000-memory.dmp	upx
behavioral1/files/0x000300000001e5a3-157.dat	upx
behavioral1/memory/2284-161-0x0000000000400000-0x0000000000C25000-memory.dmp	upx
behavioral1/memory/2284-163-0x0000000000400000-0x0000000000C25000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
File created	C:\Windows\rss\csrss.exe	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1016	schtasks.exe
2708	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3036	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
3036	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
4268	csrss.exe
4268	csrss.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
4268	csrss.exe
4268	csrss.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe
2452	injector.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Token: SeImpersonatePrivilege	3036	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
Token: SeTcbPrivilege	2232	svchost.exe
Token: SeTcbPrivilege	2232	svchost.exe
Token: SeBackupPrivilege	2232	svchost.exe
Token: SeRestorePrivilege	2232	svchost.exe
Token: SeBackupPrivilege	2232	svchost.exe
Token: SeRestorePrivilege	2232	svchost.exe
Token: SeBackupPrivilege	2232	svchost.exe
Token: SeRestorePrivilege	2232	svchost.exe
Token: SeBackupPrivilege	2232	svchost.exe
Token: SeRestorePrivilege	2232	svchost.exe
Token: SeSystemEnvironmentPrivilege	4268	csrss.exe
Token: SeBackupPrivilege	2232	svchost.exe
Token: SeRestorePrivilege	2232	svchost.exe
Token: SeBackupPrivilege	2232	svchost.exe
Token: SeRestorePrivilege	2232	svchost.exe
Token: SeBackupPrivilege	2232	svchost.exe
Token: SeRestorePrivilege	2232	svchost.exe
Token: SeBackupPrivilege	2232	svchost.exe
Token: SeRestorePrivilege	2232	svchost.exe
Token: SeBackupPrivilege	2232	svchost.exe
Token: SeRestorePrivilege	2232	svchost.exe
Token: SeBackupPrivilege	2232	svchost.exe
Token: SeRestorePrivilege	2232	svchost.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2300	2232	svchost.exe	86
PID 2232 wrote to memory of 2300	2232	svchost.exe	86
PID 2232 wrote to memory of 2300	2232	svchost.exe	86
PID 2300 wrote to memory of 3156	2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe	89
PID 2300 wrote to memory of 3156	2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe	89
PID 3156 wrote to memory of 4792	3156	cmd.exe	92
PID 3156 wrote to memory of 4792	3156	cmd.exe	92
PID 2300 wrote to memory of 4268	2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe	93
PID 2300 wrote to memory of 4268	2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe	93
PID 2300 wrote to memory of 4268	2300	7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe	93
PID 2232 wrote to memory of 1016	2232	svchost.exe	96
PID 2232 wrote to memory of 1016	2232	svchost.exe	96
PID 2232 wrote to memory of 4928	2232	svchost.exe	98
PID 2232 wrote to memory of 4928	2232	svchost.exe	98
PID 4268 wrote to memory of 2452	4268	csrss.exe	101
PID 4268 wrote to memory of 2452	4268	csrss.exe	101
PID 2232 wrote to memory of 2708	2232	svchost.exe	102
PID 2232 wrote to memory of 2708	2232	svchost.exe	102
PID 4268 wrote to memory of 2284	4268	csrss.exe	105
PID 4268 wrote to memory of 2284	4268	csrss.exe	105
PID 4268 wrote to memory of 2284	4268	csrss.exe	105
PID 2232 wrote to memory of 4348	2232	svchost.exe	107
PID 2232 wrote to memory of 4348	2232	svchost.exe	107
PID 2232 wrote to memory of 4900	2232	svchost.exe	109
PID 2232 wrote to memory of 4900	2232	svchost.exe	109

C:\Users\Admin\AppData\Local\Temp\7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
"C:\Users\Admin\AppData\Local\Temp\7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
- C:\Users\Admin\AppData\Local\Temp\7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe
  "C:\Users\Admin\AppData\Local\Temp\7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4792
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1016
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2452
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      4⤵
      Executes dropped EXE
      PID:2284
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "csrss" /f
        5⤵
        
        PID:4348
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "ScheduledUpdate" /f
        5⤵
        
        PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Filesize
99KB

MD5
09031a062610d77d685c9934318b4170

SHA1
880f744184e7774f3d14c1bb857e21cc7fe89a6d

SHA256
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

SHA512
9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.0MB

MD5
1b221846fef3bd24482b9593f95a9416

SHA1
29a18e68b60fa3e67af101401e49dee01cc00b1b

SHA256
7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70

SHA512
b81ecf6740b671e3763a75226318a215d2986667f147285e08d65d3d7e2d9d00fbe8182cedf033172fd4d3b8e4b6dfd483db9e6548f25ea47479875c0b3d7818

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.0MB

MD5
1b221846fef3bd24482b9593f95a9416

SHA1
29a18e68b60fa3e67af101401e49dee01cc00b1b

SHA256
7e9a5e86b13cb88710088c0481a81075afb4b438a0d0c8806c73d4612eb6bb70

SHA512
b81ecf6740b671e3763a75226318a215d2986667f147285e08d65d3d7e2d9d00fbe8182cedf033172fd4d3b8e4b6dfd483db9e6548f25ea47479875c0b3d7818

Download Submit
memory/2284-163-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/2284-161-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/2284-156-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/2300-137-0x0000000002B3A000-0x0000000002F23000-memory.dmp

Filesize
3.9MB

Download
memory/2300-139-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2300-144-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/3036-136-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/3036-133-0x0000000002EC0000-0x0000000003737000-memory.dmp

Filesize
8.5MB

Download
memory/3036-134-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/3036-132-0x0000000002AC8000-0x0000000002EB1000-memory.dmp

Filesize
3.9MB

Download
memory/4268-148-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/4268-153-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/4268-147-0x0000000002E00000-0x00000000031E9000-memory.dmp

Filesize
3.9MB

Download
memory/4268-158-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download