Overview

overview

10

Static

static

1E8F7E9782...C5.exe

windows7_x64

10

1E8F7E9782...C5.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    27-05-2021 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1E8F7E97829A667EA6E11F1BE8AED9C5.exe

  • Size

    5.5MB

  • MD5

    1e8f7e97829a667ea6e11f1be8aed9c5

  • SHA1

    527f7fe8e5ff4a39fb33ef27b0e5d5569a84c071

  • SHA256

    5fce415ea8596e0aa332b961dd62c1e39ddfbe593d577b91ff32aba9d9767cdd

  • SHA512

    f2e6709de8b62b0448ba34a265607045bf1ac3a38be4edccfbabb9fb111431112f373127746ac023c4534ed00a4cca618ecc9d35beacb49ecaceba92fb3fc22b

Score
10/10
gluptebametasploitplugxbackdoordiscoverydropperloadertrojanupx

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 5 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Executes dropped EXE 8 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 18 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:468
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:876
        • C:\Windows\system32\wbem\WMIADAP.EXE
          wmiadap.exe /F /T /R
          3⤵
            PID:2012
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Modifies registry class
          PID:888
      • C:\Users\Admin\AppData\Local\Temp\1E8F7E97829A667EA6E11F1BE8AED9C5.exe
        "C:\Users\Admin\AppData\Local\Temp\1E8F7E97829A667EA6E11F1BE8AED9C5.exe"
        1⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Program Files (x86)\Company\NewProduct\customer2.exe
          "C:\Program Files (x86)\Company\NewProduct\customer2.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
            3⤵
            • Executes dropped EXE
            PID:864
          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1592
        • C:\Program Files (x86)\Company\NewProduct\file4.exe
          "C:\Program Files (x86)\Company\NewProduct\file4.exe"
          2⤵
          • Executes dropped EXE
          PID:2020
        • C:\Program Files (x86)\Company\NewProduct\liujun.exe
          "C:\Program Files (x86)\Company\NewProduct\liujun.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1944
          • C:\Windows\SysWOW64\rUNdlL32.eXe
            "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setpwd
            3⤵
            • Loads dropped DLL
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1536
        • C:\Program Files (x86)\Company\NewProduct\setup.exe
          "C:\Program Files (x86)\Company\NewProduct\setup.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1040
        • C:\Program Files (x86)\Company\NewProduct\app.exe
          "C:\Program Files (x86)\Company\NewProduct\app.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1484
          • C:\Program Files (x86)\Company\NewProduct\app.exe
            "C:\Program Files (x86)\Company\NewProduct\app.exe"
            3⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:464

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/876-101-0x0000000000890000-0x00000000008DB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/876-102-0x0000000001120000-0x0000000001190000-memory.dmp

        Filesize

        448KB

        Download

      • memory/888-104-0x0000000000430000-0x00000000004A0000-memory.dmp

        Filesize

        448KB

        Download

      • memory/1040-107-0x0000000000230000-0x0000000000296000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1040-108-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1536-96-0x00000000002F0000-0x000000000034C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/1536-95-0x0000000000540000-0x0000000000641000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1776-59-0x0000000075C31000-0x0000000075C33000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2020-84-0x0000000000430000-0x0000000000442000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2020-82-0x0000000000250000-0x0000000000260000-memory.dmp

        Filesize

        64KB

        Download