Overview

overview

10

Static

static

app.exe

windows7_x64

10

app.exe

windows7_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-ja-20210920
  • submitted
    14-10-2021 13:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    app.exe

  • Size

    4.5MB

  • MD5

    fc71c451366dd6e7f0aeeb306752fa52

  • SHA1

    8748f5854b6dde9205903a9774ff0b0f62b452bd

  • SHA256

    e164923d190995c709d3d08f8d96825a7dbfdff4bf6b583dd4cc21b312f0d760

  • SHA512

    9fc08f712663a7b6ed52bf8ee36ef8f7f5aaa12b064ec92bf050a22214cd023422e806c7bba4e0233384fe3343a30a07d8f8fa8db496065bc755adde2f5c8c11

Score
10/10
gluptebametasploitbackdoordropperloadertrojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 2 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\app.exe
    "C:\Users\Admin\AppData\Local\Temp\app.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\app.exe
      "C:\Users\Admin\AppData\Local\Temp\app.exe"
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      PID:1420
  • C:\Windows\system32\IME\IMEJP10\imjppdmg.exe
    /Migration
    1⤵
      PID:396
    • C:\Windows\system32\makecab.exe
      "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20211014130525.log C:\Windows\Logs\CBS\CbsPersist_20211014130525.cab
      1⤵
      • Drops file in Windows directory
      PID:1072
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RequestConfirm.vdw
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:788
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RequestConfirm.vdw
        2⤵
        • Modifies Internet Explorer Phishing Filter
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1624
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RequestConfirm.vdw
          3⤵
            PID:1724
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        1⤵
          PID:1572

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/788-57-0x000007FEFC281000-0x000007FEFC283000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1156-58-0x0000000000000000-mapping.dmp
          Download
        • memory/1156-60-0x0000000004960000-0x0000000004961000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1420-56-0x0000000000F60000-0x000000000139B000-memory.dmp
          Filesize

          4.2MB

          Download
        • memory/1624-59-0x0000000000000000-mapping.dmp
          Download
        • memory/1680-53-0x0000000001000000-0x000000000143B000-memory.dmp
          Filesize

          4.2MB

          Download
        • memory/1680-54-0x0000000001440000-0x0000000001D5E000-memory.dmp
          Filesize

          9.1MB

          Download
        • memory/1680-55-0x0000000000400000-0x0000000000D39000-memory.dmp
          Filesize

          9.2MB

          Download
        • memory/1724-61-0x0000000000000000-mapping.dmp
          Download