Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-09-07...ch.exe

windows7-x64

10

2024-09-07...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 11:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-07_8ab1af9bdf7bd2fb52683a9f0a9fb22b_poet-rat_snatch.exe

  • Size

    9.2MB

  • MD5

    8ab1af9bdf7bd2fb52683a9f0a9fb22b

  • SHA1

    558eb72d64b63967a1e7ee5f5aedfea7684b5c2a

  • SHA256

    e72968b00e099abc78ffa34415a284e6df5cf54529e2333277031aac6e061c6b

  • SHA512

    96479ee2374219fc70709385b78cfbd612342735dc0a63bfa48f20551d6397d2d57a63fe08d20da213cccc9ecf6bb14aa446666c9cb8db37a9806dca67f66f0d

  • SSDEEP

    98304:jAepitsWVwUQtDxLq+na0lH/XxMLvhhZytTVhg5iqPzN:jAGitpzQxMLphwVhGzN

Score
10/10
gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 1 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • GoLang User-Agent 5 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-07_8ab1af9bdf7bd2fb52683a9f0a9fb22b_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-07_8ab1af9bdf7bd2fb52683a9f0a9fb22b_poet-rat_snatch.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1064
    • C:\Users\Admin\AppData\Local\Temp\2024-09-07_8ab1af9bdf7bd2fb52683a9f0a9fb22b_poet-rat_snatch.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-09-07_8ab1af9bdf7bd2fb52683a9f0a9fb22b_poet-rat_snatch.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4004
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:1620
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe ""
        3⤵
        • Executes dropped EXE
        • Manipulates WinMonFS driver.
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1712
        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3052

Network

  • flag-us
    DNS
    humisnee.com
    2024-09-07_8ab1af9bdf7bd2fb52683a9f0a9fb22b_poet-rat_snatch.exe
    Remote address:
    8.8.8.8:53
    Request
    humisnee.com
    IN A
    Response
    humisnee.com
    IN A
    37.48.65.148
  • flag-us
    DNS
    humisnee.com
    2024-09-07_8ab1af9bdf7bd2fb52683a9f0a9fb22b_poet-rat_snatch.exe
    Remote address:
    8.8.8.8:53
    Request
    humisnee.com
    IN A
  • flag-us
    DNS
    humisnee.com
    2024-09-07_8ab1af9bdf7bd2fb52683a9f0a9fb22b_poet-rat_snatch.exe
    Remote address:
    8.8.8.8:53
    Request
    humisnee.com
    IN A
  • flag-us
    DNS
    survey-smiles.com
    2024-09-07_8ab1af9bdf7bd2fb52683a9f0a9fb22b_poet-rat_snatch.exe
    Remote address:
    8.8.8.8:53
    Request
    survey-smiles.com
    IN A
    Response
    survey-smiles.com
    IN A
    199.59.243.226
  • flag-us
    GET
    http://survey-smiles.com/
    2024-09-07_8ab1af9bdf7bd2fb52683a9f0a9fb22b_poet-rat_snatch.exe
    Remote address:
    199.59.243.226:80
    Request
    GET / HTTP/1.1
    Host: survey-smiles.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Sat, 07 Sep 2024 11:22:26 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: 1c751b06-59af-45dc-b449-d80a645146bf
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_GSbXHjSyM4GBXh+TDdQi5Ch6arC3xeKj8KkRwOq4qrqrlRcvBA0AmkBJ57Iam4tUGtRHYm5e3uPQsAB9Z6SRbg==
    set-cookie: parking_session=1c751b06-59af-45dc-b449-d80a645146bf; expires=Sat, 07 Sep 2024 11:37:27 GMT; path=/
  • flag-us
    DNS
    148.65.48.37.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    148.65.48.37.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    226.243.59.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    226.243.59.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ninhaine.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    ninhaine.com
    IN TXT
    Response
  • flag-us
    DNS
    2makestorage.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    2makestorage.com
    IN TXT
    Response
  • flag-us
    DNS
    nisdably.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    nisdably.com
    IN TXT
    Response
    nisdably.com
    IN TXT
    .v=spf1 include:_incspfcheck.mailspike.net ?all
  • flag-us
    DNS
    063a6738-6b0d-459c-b368-112f7f4c9a58.ninhaine.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    063a6738-6b0d-459c-b368-112f7f4c9a58.ninhaine.com
    IN TXT
    Response
  • flag-us
    DNS
    server5.ninhaine.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    server5.ninhaine.com
    IN A
    Response
    server5.ninhaine.com
    IN A
    46.8.8.100
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    100.8.8.46.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    100.8.8.46.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ww82.ninhaine.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    ww82.ninhaine.com
    IN A
    Response
    ww82.ninhaine.com
    IN CNAME
    63214.bodis.com
    63214.bodis.com
    IN A
    199.59.243.226
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.226:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Sat, 07 Sep 2024 11:22:38 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: 35d25035-24b2-4811-9354-47399d2b4e5d
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
    set-cookie: parking_session=35d25035-24b2-4811-9354-47399d2b4e5d; expires=Sat, 07 Sep 2024 11:37:39 GMT; path=/
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.226:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Sat, 07 Sep 2024 11:22:46 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: fb884a57-3bfd-404c-a52f-e5230a7ce07f
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
    set-cookie: parking_session=fb884a57-3bfd-404c-a52f-e5230a7ce07f; expires=Sat, 07 Sep 2024 11:37:47 GMT; path=/
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.226:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/json; charset=UTF-8
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Sat, 07 Sep 2024 11:22:38 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: 430678f6-01e2-4cee-999f-3fdbc4081056
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
    set-cookie: parking_session=430678f6-01e2-4cee-999f-3fdbc4081056; expires=Sat, 07 Sep 2024 11:37:39 GMT; path=/
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.226:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Sat, 07 Sep 2024 11:22:38 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: cce4173e-786f-488e-8237-903321968b09
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ddXaAU++kKHFXXpye7OstOJs2OQRtAwyKoZv0JEZ57UJCVNlHB9A4peFJIA8ZOl9YyNX7hRy6+T4BctdrCahTQ==
    set-cookie: parking_session=cce4173e-786f-488e-8237-903321968b09; expires=Sat, 07 Sep 2024 11:37:39 GMT; path=/
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.226:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Sat, 07 Sep 2024 11:22:43 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: 0e4d7435-c76b-45b4-ba0f-a21c775a3100
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fx0AK9QznUjEamr0ll6fIOqrwSOFdH887JaQ0YBQWSyLVl3Uc5vatCVCRZQXp/93UK8YBJ4y7UdK0C4gy08iEg==
    set-cookie: parking_session=0e4d7435-c76b-45b4-ba0f-a21c775a3100; expires=Sat, 07 Sep 2024 11:37:44 GMT; path=/
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.226:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Sat, 07 Sep 2024 11:22:46 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: eac98ed1-fd20-413e-a989-91f9e0e0227e
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QZb2NeH46AHC7dCy/x1sl0RAIECavvIXrdJlPml4NSxDBIJfsw8uKCZlxZDaqzlopfpmI90I7WXnMbbT5fyvTQ==
    set-cookie: parking_session=eac98ed1-fd20-413e-a989-91f9e0e0227e; expires=Sat, 07 Sep 2024 11:37:47 GMT; path=/
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.226:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Sat, 07 Sep 2024 11:22:50 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: 35eeb1f6-476b-4ca2-b351-d23b9a6165ac
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jZoS0Mt47yTG5KYJXtkRxxmsaZk0umeBfN9/A366BGlwX7nQ0I8T/zfKwRqueHTX84tuzVCxWi1AEJBp5USPRA==
    set-cookie: parking_session=35eeb1f6-476b-4ca2-b351-d23b9a6165ac; expires=Sat, 07 Sep 2024 11:37:51 GMT; path=/
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.226:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Sat, 07 Sep 2024 11:22:52 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: a3fa4463-b804-459f-92d5-280f12525a60
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
    set-cookie: parking_session=a3fa4463-b804-459f-92d5-280f12525a60; expires=Sat, 07 Sep 2024 11:37:53 GMT; path=/
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.226:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Go-http-client/1.1
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Sat, 07 Sep 2024 11:22:38 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: 037d1525-d5db-40ed-a1d2-2e546ebb98bc
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
    set-cookie: parking_session=037d1525-d5db-40ed-a1d2-2e546ebb98bc; expires=Sat, 07 Sep 2024 11:37:39 GMT; path=/
  • flag-us
    DNS
    spolaect.info
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    spolaect.info
    IN A
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    GET
    http://ww82.ninhaine.com/
    csrss.exe
    Remote address:
    199.59.243.226:80
    Request
    GET / HTTP/1.1
    Host: ww82.ninhaine.com
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    date: Sat, 07 Sep 2024 11:23:37 GMT
    content-type: text/html; charset=utf-8
    content-length: 1054
    x-request-id: 0529495d-8f18-4116-b2af-778465098cba
    cache-control: no-store, max-age=0
    accept-ch: sec-ch-prefers-color-scheme
    critical-ch: sec-ch-prefers-color-scheme
    vary: sec-ch-prefers-color-scheme
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Ppx9vxY7pmKhVFjR3+KyMhuE2D1SlyAf7U9Eg/jAKoTo2ogcFYqti0wYsjkE25HHFUyy7CruXr2Oi10jSAWC9g==
    set-cookie: parking_session=0529495d-8f18-4116-b2af-778465098cba; expires=Sat, 07 Sep 2024 11:38:38 GMT; path=/
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    server5.2makestorage.com
    csrss.exe
    Remote address:
    8.8.8.8:53
    Request
    server5.2makestorage.com
    IN A
    Response
  • 37.48.65.148:443
    humisnee.com
    tls
    2024-09-07_8ab1af9bdf7bd2fb52683a9f0a9fb22b_poet-rat_snatch.exe
    1.4kB
     3.9kB
     12
    11
  • 199.59.243.226:80
    http://survey-smiles.com/
    http
    2024-09-07_8ab1af9bdf7bd2fb52683a9f0a9fb22b_poet-rat_snatch.exe
    429 B
     2.5kB
     6
    5

    HTTP Request

    GET http://survey-smiles.com/

    HTTP Response

    200
  • 46.8.8.100:443
    server5.ninhaine.com
    tls
    csrss.exe
    1.3kB
     3.6kB
     19
    12
  • 46.8.8.100:443
    server5.ninhaine.com
    tls
    csrss.exe
    15.7kB
     5.1kB
     39
    27
  • 46.8.8.100:443
    server5.ninhaine.com
    tls
    csrss.exe
    836 B
     3.5kB
     10
    9
  • 199.59.243.226:80
    http://ww82.ninhaine.com/
    http
    csrss.exe
    760 B
     4.9kB
     10
    10

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200
  • 199.59.243.226:80
    http://ww82.ninhaine.com/
    http
    csrss.exe
    473 B
     2.5kB
     7
    6

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200
  • 199.59.243.226:80
    http://ww82.ninhaine.com/
    http
    csrss.exe
    1.8kB
     12.0kB
     19
    19

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200
  • 199.59.243.226:80
    http://ww82.ninhaine.com/
    http
    csrss.exe
    475 B
     2.5kB
     7
    6

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200
  • 46.8.8.100:443
    server5.ninhaine.com
    tls
    csrss.exe
    6.8kB
     5.0kB
     35
    32
  • 46.8.8.100:443
    server5.ninhaine.com
    tls
    csrss.exe
    3.2kB
     3.8kB
     19
    10
  • 199.59.243.226:80
    http://ww82.ninhaine.com/
    http
    csrss.exe
    898 B
     3.2kB
     10
    6

    HTTP Request

    GET http://ww82.ninhaine.com/

    HTTP Response

    200
  • 8.8.8.8:53
    humisnee.com
    dns
    2024-09-07_8ab1af9bdf7bd2fb52683a9f0a9fb22b_poet-rat_snatch.exe
    174 B
     74 B
     3
    1

    DNS Request

    humisnee.com

    DNS Request

    humisnee.com

    DNS Request

    humisnee.com

    DNS Response

    37.48.65.148

  • 8.8.8.8:53
    survey-smiles.com
    dns
    2024-09-07_8ab1af9bdf7bd2fb52683a9f0a9fb22b_poet-rat_snatch.exe
    63 B
     79 B
     1
    1

    DNS Request

    survey-smiles.com

    DNS Response

    199.59.243.226

  • 8.8.8.8:53
    148.65.48.37.in-addr.arpa
    dns
    71 B
     134 B
     1
    1

    DNS Request

    148.65.48.37.in-addr.arpa

  • 8.8.8.8:53
    226.243.59.199.in-addr.arpa
    dns
    73 B
     131 B
     1
    1

    DNS Request

    226.243.59.199.in-addr.arpa

  • 8.8.8.8:53
    ninhaine.com
    dns
    csrss.exe
    58 B
     58 B
     1
    1

    DNS Request

    ninhaine.com

  • 8.8.8.8:53
    2makestorage.com
    dns
    csrss.exe
    62 B
     135 B
     1
    1

    DNS Request

    2makestorage.com

  • 8.8.8.8:53
    nisdably.com
    dns
    csrss.exe
    58 B
     117 B
     1
    1

    DNS Request

    nisdably.com

  • 8.8.8.8:53
    063a6738-6b0d-459c-b368-112f7f4c9a58.ninhaine.com
    dns
    csrss.exe
    95 B
     95 B
     1
    1

    DNS Request

    063a6738-6b0d-459c-b368-112f7f4c9a58.ninhaine.com

  • 8.8.8.8:53
    server5.ninhaine.com
    dns
    csrss.exe
    66 B
     82 B
     1
    1

    DNS Request

    server5.ninhaine.com

    DNS Response

    46.8.8.100

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    100.8.8.46.in-addr.arpa
    dns
    69 B
     129 B
     1
    1

    DNS Request

    100.8.8.46.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    ww82.ninhaine.com
    dns
    csrss.exe
    63 B
     105 B
     1
    1

    DNS Request

    ww82.ninhaine.com

    DNS Response

    199.59.243.226

  • 8.8.8.8:53
    spolaect.info
    dns
    csrss.exe
    59 B
     138 B
     1
    1

    DNS Request

    spolaect.info

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    server5.2makestorage.com
    dns
    csrss.exe
    70 B
     143 B
     1
    1

    DNS Request

    server5.2makestorage.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
    Filesize

    281KB

    MD5

    d98e33b66343e7c96158444127a117f6

    SHA1

    bb716c5509a2bf345c6c1152f6e3e1452d39d50d

    SHA256

    5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

    SHA512

    705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

    Download Submit

  • C:\Windows\rss\csrss.exe
    Filesize

    9.2MB

    MD5

    8ab1af9bdf7bd2fb52683a9f0a9fb22b

    SHA1

    558eb72d64b63967a1e7ee5f5aedfea7684b5c2a

    SHA256

    e72968b00e099abc78ffa34415a284e6df5cf54529e2333277031aac6e061c6b

    SHA512

    96479ee2374219fc70709385b78cfbd612342735dc0a63bfa48f20551d6397d2d57a63fe08d20da213cccc9ecf6bb14aa446666c9cb8db37a9806dca67f66f0d

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.