glupteba | d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270

Analysis

max time kernel
296s
max time network
299s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Size

4.2MB
MD5

3fc00db591baefc2dac1072f345fd7cc
SHA1

dd9c191c6482dd425dbaff2c6e94e7dc4e9d2a39
SHA256

d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270
SHA512

c24602581e5924733c9c5fada0d66b10ba7d44893577c7bcff6b80846bb219aa42ead5ca59fd7a283f73e4564b5f8f758010fc0955c634d3c16d82c0880943ad
SSDEEP

98304:sXosuBapfUsLTRnJe3olN0i3x7lQ01WGib7McUcgqdN1lLDX:sXoHBapfUsLC0N0i3zQtTlUcbPDX

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 30 IoCs

resource	yara_rule
behavioral1/memory/2416-2-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2416-3-0x0000000002C80000-0x000000000356B000-memory.dmp	family_glupteba
behavioral1/memory/2416-4-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2872-8-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2872-17-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-21-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-112-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-117-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-140-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-150-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-157-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-159-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-161-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-163-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-165-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-167-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-169-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-171-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-173-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-175-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-177-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-179-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-181-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-183-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-185-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-187-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-189-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-191-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-193-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3056-195-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe = "0"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
2508	bcdedit.exe
2500	bcdedit.exe
1756	bcdedit.exe
2224	bcdedit.exe
2008	bcdedit.exe
2640	bcdedit.exe
2676	bcdedit.exe
2656	bcdedit.exe
2600	bcdedit.exe
2576	bcdedit.exe
2760	bcdedit.exe
976	bcdedit.exe
1584	bcdedit.exe
1304	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2584	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Executes dropped EXE 6 IoCs

pid	Process
3056	csrss.exe
812	patch.exe
868	injector.exe
1976	dsefix.exe
1084	windefender.exe
744	windefender.exe

Loads dropped DLL 13 IoCs

pid	Process
2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
832	Process not Found
812	patch.exe
812	patch.exe
812	patch.exe
812	patch.exe
812	patch.exe
3056	csrss.exe
812	patch.exe
812	patch.exe
812	patch.exe
3056	csrss.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000000b1f7-149.dat	upx
behavioral1/memory/1084-151-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x000500000000b1f7-152.dat	upx
behavioral1/files/0x000500000000b1f7-153.dat	upx
behavioral1/memory/744-154-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1084-155-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/744-156-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/744-162-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe = "0"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
File created	C:\Windows\rss\csrss.exe	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240204074651.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1820	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2916	schtasks.exe
2312	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-572 = "China Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2416	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
3056	csrss.exe
868	injector.exe
868	injector.exe
868	injector.exe
3056	csrss.exe
868	injector.exe
3056	csrss.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe
868	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Token: SeImpersonatePrivilege	2416	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
Token: SeSystemEnvironmentPrivilege	3056	csrss.exe
Token: SeSecurityPrivilege	1820	sc.exe
Token: SeSecurityPrivilege	1820	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2188	2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe	70
PID 2872 wrote to memory of 2188	2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe	70
PID 2872 wrote to memory of 2188	2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe	70
PID 2872 wrote to memory of 2188	2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe	70
PID 2188 wrote to memory of 2584	2188	conhost.exe	35
PID 2188 wrote to memory of 2584	2188	conhost.exe	35
PID 2188 wrote to memory of 2584	2188	conhost.exe	35
PID 2872 wrote to memory of 3056	2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe	36
PID 2872 wrote to memory of 3056	2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe	36
PID 2872 wrote to memory of 3056	2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe	36
PID 2872 wrote to memory of 3056	2872	d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe	36
PID 3056 wrote to memory of 868	3056	csrss.exe	45
PID 3056 wrote to memory of 868	3056	csrss.exe	45
PID 3056 wrote to memory of 868	3056	csrss.exe	45
PID 3056 wrote to memory of 868	3056	csrss.exe	45
PID 812 wrote to memory of 2508	812	patch.exe	50
PID 812 wrote to memory of 2508	812	patch.exe	50
PID 812 wrote to memory of 2508	812	patch.exe	50
PID 812 wrote to memory of 2500	812	patch.exe	52
PID 812 wrote to memory of 2500	812	patch.exe	52
PID 812 wrote to memory of 2500	812	patch.exe	52
PID 812 wrote to memory of 1756	812	patch.exe	54
PID 812 wrote to memory of 1756	812	patch.exe	54
PID 812 wrote to memory of 1756	812	patch.exe	54
PID 812 wrote to memory of 1304	812	patch.exe	78
PID 812 wrote to memory of 1304	812	patch.exe	78
PID 812 wrote to memory of 1304	812	patch.exe	78
PID 812 wrote to memory of 2224	812	patch.exe	56
PID 812 wrote to memory of 2224	812	patch.exe	56
PID 812 wrote to memory of 2224	812	patch.exe	56
PID 812 wrote to memory of 1584	812	patch.exe	76
PID 812 wrote to memory of 1584	812	patch.exe	76
PID 812 wrote to memory of 1584	812	patch.exe	76
PID 812 wrote to memory of 976	812	patch.exe	74
PID 812 wrote to memory of 976	812	patch.exe	74
PID 812 wrote to memory of 976	812	patch.exe	74
PID 812 wrote to memory of 2008	812	patch.exe	58
PID 812 wrote to memory of 2008	812	patch.exe	58
PID 812 wrote to memory of 2008	812	patch.exe	58
PID 812 wrote to memory of 2760	812	patch.exe	72
PID 812 wrote to memory of 2760	812	patch.exe	72
PID 812 wrote to memory of 2760	812	patch.exe	72
PID 812 wrote to memory of 2600	812	patch.exe	66
PID 812 wrote to memory of 2600	812	patch.exe	66
PID 812 wrote to memory of 2600	812	patch.exe	66
PID 812 wrote to memory of 2656	812	patch.exe	64
PID 812 wrote to memory of 2656	812	patch.exe	64
PID 812 wrote to memory of 2656	812	patch.exe	64
PID 812 wrote to memory of 2676	812	patch.exe	62
PID 812 wrote to memory of 2676	812	patch.exe	62
PID 812 wrote to memory of 2676	812	patch.exe	62
PID 812 wrote to memory of 2640	812	patch.exe	60
PID 812 wrote to memory of 2640	812	patch.exe	60
PID 812 wrote to memory of 2640	812	patch.exe	60
PID 3056 wrote to memory of 2576	3056	csrss.exe	67
PID 3056 wrote to memory of 2576	3056	csrss.exe	67
PID 3056 wrote to memory of 2576	3056	csrss.exe	67
PID 3056 wrote to memory of 2576	3056	csrss.exe	67
PID 3056 wrote to memory of 1976	3056	csrss.exe	69
PID 3056 wrote to memory of 1976	3056	csrss.exe	69
PID 3056 wrote to memory of 1976	3056	csrss.exe	69
PID 3056 wrote to memory of 1976	3056	csrss.exe	69
PID 1084 wrote to memory of 308	1084	windefender.exe	84
PID 1084 wrote to memory of 308	1084	windefender.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
"C:\Users\Admin\AppData\Local\Temp\d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
- C:\Users\Admin\AppData\Local\Temp\d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe
  "C:\Users\Admin\AppData\Local\Temp\d3d87475bd6c89cc3a3ae120132193b347e397e1e1c6675990a64aac27c6e270.exe"
  2⤵
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2188
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:2584
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Manipulates WinMon driver.
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:524
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:812
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2508
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2500
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1756
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2224
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2008
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2640
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2676
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2656
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2600
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2760
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:976
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1584
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:868
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      Executes dropped EXE
      PID:1976
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2312
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:308
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240204074651.log C:\Windows\Logs\CBS\CbsPersist_20240204074651.cab
1⤵
- Drops file in Windows directory
PID:2860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-170287824797369915776799741461725195120378588-1144720986449643282-1689076393"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab67BA.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
231KB

MD5
2ba941d505a9882b2a59c6f94c3413f4

SHA1
040df0d133e8aa9b5aa741d90739faf5daf3962e

SHA256
25af7a6ff9c6a489b4b3daed693d0ae5b843f7ae1dddfb0121cc26172a6c61ed

SHA512
ef638e8b55f59c87f19eda3d4b353b37c7661be3add38605d89f959ae55ac8d4f23f53c19d1cb86bd5e769a8e72308ea6cb95683a59afadf2e0bddf45dd4da12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
82KB

MD5
7783d3194cbde27d10889a299a818708

SHA1
2519ed6499bcba29bb5a0e6fcd117d25ef1e2915

SHA256
848b8bb1d155ec7eff36e20d94e5065531d4f275f37f1f9e28e1877f82f4f379

SHA512
3e077cace68cac8fdcb348a8528d1c7d5efc7cfbbd28afa0c43bd0374dbb38df176ae169ff6afa935fd9fb7fc88e6932f4a602b455dc2b91aec8b5d47fd461b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar683A.tmp

Filesize
111KB

MD5
bc3ffd4d7ae1eb3a3a14de34ae156864

SHA1
0180a7f0c4869ea3fedf9eb19ac1aba1cb4b99b1

SHA256
e17e4c0f9371490680ce77fae9d293381bbc1005d88918c50c81b99c0a65e8b9

SHA512
d9a65212ebcb000514561a72236c04068933f6bd9cbf9802bdcbf1e2f849aace93be65a839a49eb18c2d50224294ddebc7f76c8bdb62cfe78bf2857f81f98dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
72KB

MD5
6b43afb38125c48b9db2bb3b5cb5227d

SHA1
8bffa4f03bdca431b59681d2daacefc5c9bba4b3

SHA256
3cd2fbbba612a5bca60b900ee707bcb4b34f8dfb4d042a9ed731f41b7c0952e6

SHA512
e4ee5084d4a4c08a7f4c25760be0e6deba421797e1f7298b82f7e33ae45ef740bf94157f2257145ea80ca7bc5a78d9ef243e2e7f739bd8a60a06df5e90ff05b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
31KB

MD5
91b9dcf69a4f3d66d1888083eef54e63

SHA1
d8b83fe409bbf7bd439fcfcd9ad006567a9111a5

SHA256
42e4712969bc5a970ad0ec0b25a6232d6e713e44788c25a77e86f6192ee713a1

SHA512
b36bf10123b3d1929f84d4cc3191690a8aa206be849b27363eb9bdffa87888df03575864a56f1ccbd949c4bc50c77944c395644f90462d16d3ab0c057276f653

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
136KB

MD5
b1af5140ef6429d99ae66eb15e1ce49a

SHA1
44d871da1fb1108c6a09475575ff24a4da69a811

SHA256
8ed0eba64174d429230f6a9b29161dda02ef955e4b660bdf865bbb856577883f

SHA512
66ecea954b419610ab8fba777c22d073674955230ee3297f8dd2b101a81836bc09a068fd584b603f7f8ab266fc4b77bf5873b64ea3d8716de091a1146e2cfa72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
100KB

MD5
664831b6aae69f2e1e50ba7c23a2316d

SHA1
15ed562a1e94e9571689f52c38b58525da09c71f

SHA256
2c029f24271f96743808fa6110f33f74dd68fd48bcc4e5f2cbbf60c9d8f76c5c

SHA512
4ad414ecb4d712f4d55945bfb4618c9256e58c02fecb3bf0abd7a5cdf19e4cd2040d30f885ba8732b03b9cd0ab4edc971b55f5337b4f21178bbf0334d2438e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
19KB

MD5
d143a20cfa4f5d5c599ae107c1dd4f4f

SHA1
87f5220ec939fc552b63f39bf1cb7991a63429f6

SHA256
7f60b892eb946c288236dbc4d5342f9fa4084e81b460d5458f894c85131f944c

SHA512
fb926712b731f2438dc6a9414bcabf3ad1063052709c286073618297af84ab624110d468ee8208f33105caad730dd64223cb8428ec167c14e61392b35708c6c1

Download Submit
C:\Windows\rss\csrss.exe

Filesize
181KB

MD5
06d53e04bfc8a7728e07a2f019e18a43

SHA1
1c68ce9bb9342acb44ab18ac6b8beeb00cf92ff6

SHA256
505e9a1f1c882cf9714506503350a17ecdd5af1f66fc1a999ce859cef6842662

SHA512
ead460b7d877d39357176cb25395dc3c3f01b7f539ad8fc9aef41be010a033f1bd2266e0102f6979b32e32052d110b1e47bd994452e9ffecedc0bb1a44f9b190

Download Submit
C:\Windows\rss\csrss.exe

Filesize
226KB

MD5
11a01aed334d5eb78c44630bc983f5ef

SHA1
0d84b2e63b20fdaa79c125c522c67e386b0886ba

SHA256
d0e279011f78ea6e6ba2b45246a3c78e83b1645bdc8b66854a38b9fc3b7dfc72

SHA512
29356b6b03148915e414b81d047a5efaa305172c8ee5a249a8a51f80fcfd99c9f000601fe8f5f8a7c2be1f2ffa3d96db427cdaef9e6d93eb3d29bd6cd71731ef

Download Submit
C:\Windows\rss\csrss.exe

Filesize
32KB

MD5
6b53e8989f9b3de941e4a16b022071cb

SHA1
2ba4b6e6df414498d61e68967dab490082e43f5c

SHA256
1e24ca618df66fe3db5c9aa23872248b3d53fd9b31dbc39eebe09e41c4cac8bf

SHA512
cf61e4142719ce7c9c12979b7388fcb0f5e150c40bc1b5d94237da05e385ab8cf4f95b86dcc7f722a534d068a1f750430da8ebfdd73ad77a272ee746d50f5325

Download Submit
C:\Windows\windefender.exe

Filesize
71KB

MD5
da1e8c7d10c5e886c01ff7fc73b5d2c6

SHA1
e6fa289effb5bc9bc6af40f7947d1f352e1491ca

SHA256
2e91e7b1ee7feee0f7b680bdd296187e666acb0a0442cb679326833d82ba8778

SHA512
0a2ae5407ac8d8e97f7dafb6cb9bb0ac79d2056d7725eb15c8a10f4df7e448c93efecffa75ba0a031d447523bc117cfcd22921603ab6a42aaac4e10b568241cc

Download Submit
C:\Windows\windefender.exe

Filesize
85KB

MD5
df61e325e305d88e595aac96a81e1c80

SHA1
0e3456a81ef5ca908f74f55c46a501c164bea40d

SHA256
39f951f8ef79f3440dcfcc8b8cafba626f4a4faddcbb6f066e41ed61c1ceaea4

SHA512
02170f86b4216d86b4978530eb4aea6cea49e76725a82b89214864341b1ddd21bdb4131b881275f082596993fef840496f32d3b8e990caaa5183199d389472d7

Download Submit
C:\Windows\windefender.exe

Filesize
11KB

MD5
20dec22b6629f29e7fdb9865548e96ca

SHA1
f75a40f5a6d77b9c67fd1e0ffa2c1f4a051f6b62

SHA256
29a514cb716ff634c6523c14dc5c89916296f168a4ebc236d97e862b93d2c268

SHA512
805ec95fc522fe13faa0a7b26b1e1baff8ab4ac3a100f2134630f5b970d6a9f52639eafb1f780dc9b55393386eedce62660863a9a47d8b8f05f689129aaed0fd

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
56KB

MD5
d762d30be35ce81c0b881501c6a378f1

SHA1
6371f6b67315e4a334ed40bc332267e4c47d5b75

SHA256
34d804391dd5ec5033585d702c74026132f111fce9948d730f3cd6d29aeaeaa8

SHA512
60ae82f345aabe0497574a23bb44c9524101271344192e19e04fc7590a180f958ff57d91b0396804f6edf361baab0e4e7b7081583796d8c947edecb58b0648fb

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
56KB

MD5
d5c43c51aa9ed62c86239dd6828df7cc

SHA1
88ecbf2c0fb59ce233b076ad182a4952c4652810

SHA256
f5e54a1e57db42bcdab0c60d7f5b626cd892e51f510057c0c176a02a8df32570

SHA512
3e9c77c35372fdc8837ca3f13313e2d4047e9a9a87bd2569037b89872d62d5b5829cbb498d6c045b1e6d12854b3bc9fda44dfc8881285c13dab8deffca4ab9fb

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
73KB

MD5
37aebb418319cdbd36fabf6435b3a663

SHA1
e53948270b9d66b0f13ec01bb35edcaf84ec262d

SHA256
95ec7c0efa33bdd309e189de3185fa3d5580f6b0ed3c940bfdc1e5c209361f5d

SHA512
1d08a94342cc123a4530aa3e629b73d359091fa55993d8de99e1714f734107c90f7fba6aec455d358ad43318b2c6be4dd4e71bd516ab66d2cb8a325d53bb568d

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
74KB

MD5
e116aabf282300386f94b2a7e2339aef

SHA1
8303e157147977507aaf4371d31d3a2034b42a02

SHA256
f3bf97021925d7693de78833d75f7c2bd3c23b2cf0ff54257a98fa90d532dead

SHA512
9df7f8bfadec63779721502bab73e68f9375a71461489135babb7bedbfc4733a617f554fd87870a1ad58bd51a34a6a6a5f13a9711e1c87ae09061738ddecb756

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
92KB

MD5
326d1d5466e7a31056d5c9e281242851

SHA1
92df6612cd3c6d79c6a18fc1a52a40ca41874ce7

SHA256
51e509f6f154fa45c508e3ff114934ce640d800efcc6b817dc8dd1083c1906ce

SHA512
1617a257bcc3eefcfa02b4047bdedd12bb20c4de4339d826c4f8996162b9458743b028ff5c6590627143aa107e8aa6294df05481a2d57e673cf376b86a00eb46

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
20KB

MD5
783b7ea3baa32b82d766b245653552f3

SHA1
aa130b43fe0da90781806750c317cf22bf4ef8dc

SHA256
fe68fbd14d6bb86f97e41b892e17769f9af34aa17c5ce342e7f2ba9995d02591

SHA512
af4d443275e5a36598ba30594e19344b17987d07134817044b725f3591b7503c85fa883719324dff829d17d1658dd78373f01ae9778d29f9681de67ec195bf1e

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
37KB

MD5
8d8d34e8c7cd43aa91239ea159ee6f9d

SHA1
302c3689b3e389fa0a95d3517406443b4e9f0664

SHA256
052f909dc5810c8d4585e37d257124770c5a48a6589fa97fb8e9469fcc26052b

SHA512
d431933e1745f1369dbab0aaa99cc56940886ff6695056328274113b467e0392d95163e306bcbfca9a5ff62b0c6e403a7c9b68b1e5a6cd47c0546722f01fb20d

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
128KB

MD5
68a7a5d8a3b5da0001f8119139eb7664

SHA1
b6eea2ff3b7d3cd522c8af5d577612ed82e78da7

SHA256
07764196f95438bcc43166dc72e191b04ee0a2e47e54c6b9785a6d7bbc06546f

SHA512
57e8431df221e0dc64e134c1b08633657e9e664d786e9ff40b174d62540fd03849f81ef3e20ef665c6daf3e2d59761f0ef4713c49b6e41cc54e97c5d47533ce3

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
97KB

MD5
53b5c7754d22b5bfb99c47bd8bd24c37

SHA1
415cbe97034357df1a0d608b7a8b1c4a64f394c2

SHA256
15cda669bc41491c3b34f8197f16e80c2ffefa0727ed8ef7ac384953b07a48c3

SHA512
9ad51f4ffc84bd95a1f1d2724cba0c3fd03e1d273372c842fc9186ff109122f5c66eaf7b5ad909d43c7578a4be69bb147b90e4bc79beb39153e3511df01b5094

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
99KB

MD5
8900946d0ced9bdbcdbf326b23ddf2b2

SHA1
a1d009fefab3aeeb535a7cfa9429008340c94100

SHA256
6fb68058523b11931194d736c644c05bad6ed7550401582c03e2b93178bdccfd

SHA512
1cb72407f0c03031dc187d02f568f9b7ea797beece88899d6f3417a0870a2eb535b32b7561671c0a84621026bb061fe2438377b22dc645a882cae2183b07ba58

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
2a797f6eec58f499d5bf1d0ba26c8236

SHA1
690ad37bc74b355e6aea11aedac9c3ce79a5840b

SHA256
2f743f78d6fd88e88e65b94a19e66cc46eb2d1828057b4c4db99663f5e1224dc

SHA512
6246fd30f3b083ff6727b0b56a70a31f55eba20920fb80da67f965a55e3bb6d462b01d27d985dac4a248dd84049f7e052b37df39f0ce8cfa817165bfbbe42333

Download Submit
\Windows\rss\csrss.exe

Filesize
167KB

MD5
121c3a24c4ca7387f592ef9c7483221b

SHA1
bc9eb389ca6d3a342ba262a80814906afe52963e

SHA256
308abaf2350b587e94c461527167a1325b9661eccae1dda0ab6936aa937bee70

SHA512
8d892e7725f7909d2b02b782235cd9c5383e9a7ce73488ccba860668f9e80283b82dd831150976c88033bba6c6793c467cc100d0dea1d9c12cf7e41313216d15

Download Submit
\Windows\rss\csrss.exe

Filesize
179KB

MD5
5e481e2ac71b20c59f73b4cad79a2e05

SHA1
0b05b38d9f7b82c58137bc9636d8a6151e7abe83

SHA256
16210408e3275b7b2d1c2c411aa9781b9d668d39d0a741f0baedd5752c37c366

SHA512
fd9c514509f543d8e0a8f1a4e2a8298bf4b31b66a6ba5e87072d752ccfa496bce8eebadaa2c15e9a5de8496acde98b9094e3c408ee0080ef3505e81b78140771

Download Submit
memory/744-162-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/744-156-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/744-154-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/812-42-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/812-26-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1084-155-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1084-151-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2416-1-0x0000000002880000-0x0000000002C78000-memory.dmp

Filesize
4.0MB

Download
memory/2416-4-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2416-5-0x0000000002880000-0x0000000002C78000-memory.dmp

Filesize
4.0MB

Download
memory/2416-3-0x0000000002C80000-0x000000000356B000-memory.dmp

Filesize
8.9MB

Download
memory/2416-2-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2416-0-0x0000000002880000-0x0000000002C78000-memory.dmp

Filesize
4.0MB

Download
memory/2872-8-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2872-17-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2872-6-0x0000000002830000-0x0000000002C28000-memory.dmp

Filesize
4.0MB

Download
memory/2872-7-0x0000000002830000-0x0000000002C28000-memory.dmp

Filesize
4.0MB

Download
memory/2872-18-0x0000000002830000-0x0000000002C28000-memory.dmp

Filesize
4.0MB

Download
memory/3056-165-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-171-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-150-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-111-0x00000000026D0000-0x0000000002AC8000-memory.dmp

Filesize
4.0MB

Download
memory/3056-103-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-116-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-117-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-19-0x00000000026D0000-0x0000000002AC8000-memory.dmp

Filesize
4.0MB

Download
memory/3056-20-0x00000000026D0000-0x0000000002AC8000-memory.dmp

Filesize
4.0MB

Download
memory/3056-157-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-159-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-161-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-21-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-163-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-140-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-167-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-169-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-112-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-173-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-175-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-177-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-179-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-181-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-183-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-185-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-187-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-189-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-191-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-193-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-195-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-197-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-199-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-201-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3056-203-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download