glupteba | bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19b

Analysis

max time kernel
31s
max time network
85s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-10-2024 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Size

4.1MB
MD5

a2294fc4d2f422a01608b624142281e0
SHA1

b23463d6765239c5ed743e4413d1e0db53d3fedd
SHA256

bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19b
SHA512

db6ec1ca206b019cad8ad5cb138fc40caba7c861c9febcd6b91109933da445444ebee77717a7938a6d290cb0514060e69c54a5dc4e2bc35da01157bc783e4869
SSDEEP

98304:5n3wmIUx3K+E8UqO/scYLCBt6cQU3jf/Lty828P6hhVvPOGdw5Lkg4J:pAmIS3Kf7qaxYLCBVzD/LtvEhXvfm58J

Score

10^/10

glupteba discovery dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 9 IoCs

resource	yara_rule
behavioral1/memory/3048-2-0x00000000029A0000-0x0000000003217000-memory.dmp	family_glupteba
behavioral1/memory/3048-3-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral1/memory/3048-7-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral1/memory/3048-8-0x00000000029A0000-0x0000000003217000-memory.dmp	family_glupteba
behavioral1/memory/2928-22-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral1/memory/2928-33-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral1/memory/2464-40-0x0000000140000000-0x00000001405E8000-memory.dmp	family_glupteba
behavioral1/memory/1028-73-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral1/memory/1028-77-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3008	netsh.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
2676	bcdedit.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20241022015927.cab	makecab.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2516	schtasks.exe
332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3048	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
Token: SeImpersonatePrivilege	3048	bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe

C:\Users\Admin\AppData\Local\Temp\bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
"C:\Users\Admin\AppData\Local\Temp\bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
- C:\Users\Admin\AppData\Local\Temp\bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe
  "C:\Users\Admin\AppData\Local\Temp\bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19bN.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2908
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3008
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:1028
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:332
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:700
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:2140
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2676
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2516

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241022015927.log C:\Windows\Logs\CBS\CbsPersist_20241022015927.cab
1⤵
- Drops file in Windows directory
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
2.3MB

MD5
66f593809def1438f648c145f782abc8

SHA1
09188f265e617f79fb14110c911608ec5b5ac389

SHA256
3115c0c93cf62334346b433099306282ee5936024bb72ea1fbbc50caddd92788

SHA512
523dd12ebabfdda91e3bff0f8465cb9b19df256dd93f4fac58dc4e03275c73753168fdc1ee2198800cd13c919cad72fe7e0ad6f9c419569e699cf92b385ec819

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
a2294fc4d2f422a01608b624142281e0

SHA1
b23463d6765239c5ed743e4413d1e0db53d3fedd

SHA256
bd0df2a49d7e82c60fa3e90eebaecda95483e20e1aa27e50864747da5b00d19b

SHA512
db6ec1ca206b019cad8ad5cb138fc40caba7c861c9febcd6b91109933da445444ebee77717a7938a6d290cb0514060e69c54a5dc4e2bc35da01157bc783e4869

Download Submit
memory/1028-73-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1028-78-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1028-31-0x00000000024D0000-0x00000000028B9000-memory.dmp

Filesize
3.9MB

Download
memory/1028-99-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1028-77-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1028-102-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1028-100-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1028-101-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2464-54-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2464-40-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2928-33-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2928-22-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2928-4-0x0000000002530000-0x0000000002919000-memory.dmp

Filesize
3.9MB

Download
memory/2928-20-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/2928-21-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/3048-7-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/3048-2-0x00000000029A0000-0x0000000003217000-memory.dmp

Filesize
8.5MB

Download
memory/3048-1-0x00000000025B0000-0x0000000002999000-memory.dmp

Filesize
3.9MB

Download
memory/3048-3-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/3048-0-0x00000000025B0000-0x0000000002999000-memory.dmp

Filesize
3.9MB

Download
memory/3048-8-0x00000000029A0000-0x0000000003217000-memory.dmp

Filesize
8.5MB

Download
memory/3048-6-0x00000000025B0000-0x0000000002999000-memory.dmp

Filesize
3.9MB

Download