Overview

overview

10

Static

static

8743c37485...b0.exe

windows7_x64

10

8743c37485...b0.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    102s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    09-05-2022 00:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8743c37485edab28e9e1880236f7ec2f336635aeee90598fcf49ac541682a3b0.exe

  • Size

    3.9MB

  • MD5

    41489a9eb3c63f2902748eeefc682cf7

  • SHA1

    15cc46a4b8002afe3ec0b4468b5cd8ce69fc2baa

  • SHA256

    8743c37485edab28e9e1880236f7ec2f336635aeee90598fcf49ac541682a3b0

  • SHA512

    2c1a271939e3a77b048d458f0399128c52383843ea0ba06cd7fae301e28f63023bf226032fc94640fcb98ced6c599be3dcfa676f129bafa24f9a2bd9af263c59

Score
10/10
gluptebadropperevasionloader

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 5 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Program crash 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8743c37485edab28e9e1880236f7ec2f336635aeee90598fcf49ac541682a3b0.exe
    "C:\Users\Admin\AppData\Local\Temp\8743c37485edab28e9e1880236f7ec2f336635aeee90598fcf49ac541682a3b0.exe"
    1⤵
      PID:2284
      • C:\Users\Admin\AppData\Local\Temp\8743c37485edab28e9e1880236f7ec2f336635aeee90598fcf49ac541682a3b0.exe
        "C:\Users\Admin\AppData\Local\Temp\8743c37485edab28e9e1880236f7ec2f336635aeee90598fcf49ac541682a3b0.exe"
        2⤵
          PID:3408
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:2740
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                4⤵
                  PID:4552
              • C:\Windows\system32\cmd.exe
                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b.exe" enable=yes"
                3⤵
                  PID:4488
                • C:\Windows\rss\csrss.exe
                  C:\Windows\rss\csrss.exe ""
                  3⤵
                    PID:3904
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 828
                    3⤵
                    • Program crash
                    PID:3128
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                1⤵
                  PID:1080
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b.exe" enable=yes
                  1⤵
                    PID:4676
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3408 -ip 3408
                    1⤵
                      PID:1488

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Modify Existing Service

                    1
                    T1031

                    Privilege Escalation

                    Defense Evasion

                    Credential Access

                    Discovery

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Windows\rss\csrss.exe
                      Filesize

                      3.9MB

                      MD5

                      41489a9eb3c63f2902748eeefc682cf7

                      SHA1

                      15cc46a4b8002afe3ec0b4468b5cd8ce69fc2baa

                      SHA256

                      8743c37485edab28e9e1880236f7ec2f336635aeee90598fcf49ac541682a3b0

                      SHA512

                      2c1a271939e3a77b048d458f0399128c52383843ea0ba06cd7fae301e28f63023bf226032fc94640fcb98ced6c599be3dcfa676f129bafa24f9a2bd9af263c59

                      Download Submit
                    • C:\Windows\rss\csrss.exe
                      Filesize

                      3.9MB

                      MD5

                      41489a9eb3c63f2902748eeefc682cf7

                      SHA1

                      15cc46a4b8002afe3ec0b4468b5cd8ce69fc2baa

                      SHA256

                      8743c37485edab28e9e1880236f7ec2f336635aeee90598fcf49ac541682a3b0

                      SHA512

                      2c1a271939e3a77b048d458f0399128c52383843ea0ba06cd7fae301e28f63023bf226032fc94640fcb98ced6c599be3dcfa676f129bafa24f9a2bd9af263c59

                      Download Submit
                    • memory/1412-147-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2284-131-0x0000000005B60000-0x000000000625C000-memory.dmp
                      Filesize

                      7.0MB

                      Download
                    • memory/2284-132-0x0000000000400000-0x0000000005158000-memory.dmp
                      Filesize

                      77.3MB

                      Download
                    • memory/2284-130-0x00000000057A7000-0x0000000005B50000-memory.dmp
                      Filesize

                      3.7MB

                      Download
                    • memory/2740-134-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3408-133-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3408-136-0x00000000056E4000-0x0000000005A8D000-memory.dmp
                      Filesize

                      3.7MB

                      Download
                    • memory/3408-137-0x0000000000400000-0x0000000005158000-memory.dmp
                      Filesize

                      77.3MB

                      Download
                    • memory/3904-140-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3904-143-0x0000000005C00000-0x0000000005FA9000-memory.dmp
                      Filesize

                      3.7MB

                      Download
                    • memory/3904-144-0x0000000006000000-0x00000000066FC000-memory.dmp
                      Filesize

                      7.0MB

                      Download
                    • memory/3904-145-0x0000000000400000-0x0000000005158000-memory.dmp
                      Filesize

                      77.3MB

                      Download
                    • memory/4488-138-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4552-135-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4676-139-0x0000000000000000-mapping.dmp
                      Download