glupteba | badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb

Analysis

max time kernel
218s
max time network
54s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Size

4.2MB
MD5

231e2cf23201ef6b4090b896e806d081
SHA1

bd83b4d462ec1ee2c68aa990b77f7aa7bc53dbf3
SHA256

badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb
SHA512

f209636a6098fc88b9599c7ec2afa3d33183fd206e7b2f895ca976cc4fefe19a71505f78b501c65cfed57fafe3d22f18f9004d07ba6c5110c6acba1a02aff542
SSDEEP

98304:tTJuBaOR1OGnJbTI9ECe5DBuoahLUsGxCDJoG2OZs7RL:He/RZI9Y5lul9nGuJoA2x

Score

10^/10

glupteba dropper evasion loader persistence trojan

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 15 IoCs

resource	yara_rule
behavioral1/memory/2912-2-0x0000000002AB0000-0x000000000339B000-memory.dmp	family_glupteba
behavioral1/memory/2912-3-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2912-4-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2912-6-0x0000000002AB0000-0x000000000339B000-memory.dmp	family_glupteba
behavioral1/memory/2912-7-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2912-8-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1624-11-0x0000000002A60000-0x000000000334B000-memory.dmp	family_glupteba
behavioral1/memory/1624-12-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1624-21-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1804-26-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1804-28-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1804-32-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1804-34-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1804-36-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1804-37-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe = "0"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1008	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
1804	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe = "0"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
File created	C:\Windows\rss\csrss.exe	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2912	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
Token: SeImpersonatePrivilege	2912	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2816	1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe	32
PID 1624 wrote to memory of 2816	1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe	32
PID 1624 wrote to memory of 2816	1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe	32
PID 1624 wrote to memory of 2816	1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe	32
PID 2816 wrote to memory of 1008	2816	cmd.exe	34
PID 2816 wrote to memory of 1008	2816	cmd.exe	34
PID 2816 wrote to memory of 1008	2816	cmd.exe	34
PID 1624 wrote to memory of 1804	1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe	35
PID 1624 wrote to memory of 1804	1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe	35
PID 1624 wrote to memory of 1804	1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe	35
PID 1624 wrote to memory of 1804	1624	badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe	35

C:\Users\Admin\AppData\Local\Temp\badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
"C:\Users\Admin\AppData\Local\Temp\badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
- C:\Users\Admin\AppData\Local\Temp\badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe
  "C:\Users\Admin\AppData\Local\Temp\badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb.exe"
  2⤵
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:1008
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:1804

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231015164942.log C:\Windows\Logs\CBS\CbsPersist_20231015164942.cab
1⤵
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
231e2cf23201ef6b4090b896e806d081

SHA1
bd83b4d462ec1ee2c68aa990b77f7aa7bc53dbf3

SHA256
badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb

SHA512
f209636a6098fc88b9599c7ec2afa3d33183fd206e7b2f895ca976cc4fefe19a71505f78b501c65cfed57fafe3d22f18f9004d07ba6c5110c6acba1a02aff542

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
231e2cf23201ef6b4090b896e806d081

SHA1
bd83b4d462ec1ee2c68aa990b77f7aa7bc53dbf3

SHA256
badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb

SHA512
f209636a6098fc88b9599c7ec2afa3d33183fd206e7b2f895ca976cc4fefe19a71505f78b501c65cfed57fafe3d22f18f9004d07ba6c5110c6acba1a02aff542

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
231e2cf23201ef6b4090b896e806d081

SHA1
bd83b4d462ec1ee2c68aa990b77f7aa7bc53dbf3

SHA256
badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb

SHA512
f209636a6098fc88b9599c7ec2afa3d33183fd206e7b2f895ca976cc4fefe19a71505f78b501c65cfed57fafe3d22f18f9004d07ba6c5110c6acba1a02aff542

Download Submit
\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
231e2cf23201ef6b4090b896e806d081

SHA1
bd83b4d462ec1ee2c68aa990b77f7aa7bc53dbf3

SHA256
badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb

SHA512
f209636a6098fc88b9599c7ec2afa3d33183fd206e7b2f895ca976cc4fefe19a71505f78b501c65cfed57fafe3d22f18f9004d07ba6c5110c6acba1a02aff542

Download Submit
\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
231e2cf23201ef6b4090b896e806d081

SHA1
bd83b4d462ec1ee2c68aa990b77f7aa7bc53dbf3

SHA256
badcbbbb0776e093fc89a93be3cd299c6363f642b749fff197087dd906e8b4eb

SHA512
f209636a6098fc88b9599c7ec2afa3d33183fd206e7b2f895ca976cc4fefe19a71505f78b501c65cfed57fafe3d22f18f9004d07ba6c5110c6acba1a02aff542

Download Submit
memory/1624-11-0x0000000002A60000-0x000000000334B000-memory.dmp

Filesize
8.9MB

Download
memory/1624-21-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1624-23-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/1624-9-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/1624-12-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1624-10-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/1804-26-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1804-32-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1804-37-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1804-36-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1804-34-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1804-28-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1804-22-0x00000000026E0000-0x0000000002AD8000-memory.dmp

Filesize
4.0MB

Download
memory/1804-24-0x00000000026E0000-0x0000000002AD8000-memory.dmp

Filesize
4.0MB

Download
memory/2912-2-0x0000000002AB0000-0x000000000339B000-memory.dmp

Filesize
8.9MB

Download
memory/2912-3-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2912-0-0x00000000026B0000-0x0000000002AA8000-memory.dmp

Filesize
4.0MB

Download
memory/2912-1-0x00000000026B0000-0x0000000002AA8000-memory.dmp

Filesize
4.0MB

Download
memory/2912-4-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2912-8-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2912-5-0x00000000026B0000-0x0000000002AA8000-memory.dmp

Filesize
4.0MB

Download
memory/2912-6-0x0000000002AB0000-0x000000000339B000-memory.dmp

Filesize
8.9MB

Download
memory/2912-7-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download