Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 04:39
Static task
static1
Behavioral task
behavioral1
Sample
1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
-
Size
5.0MB
-
MD5
79b2dce444347169977d7fa87137f839
-
SHA1
239779f6b48824a9e7626f6aa3c306c08eb244dd
-
SHA256
1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef
-
SHA512
73d68bf150662bb78ceb913dd54d5fe2414aed37769dd453102eb4ac9ea5fc565fbd45ecd9ba4e95422ba191ff0f8d1544d6fcb715b6c51fac5bbe1cc805346f
Malware Config
Signatures
-
Glupteba Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1208-131-0x0000000000400000-0x0000000000AE9000-memory.dmp family_glupteba -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1604 created 1208 1604 svchost.exe 1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exepid process 1208 1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe 1208 1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe 1208 1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe 1208 1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe 1208 1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe 1208 1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe 1208 1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe 1208 1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exesvchost.exedescription pid process Token: SeDebugPrivilege 1208 1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe Token: SeImpersonatePrivilege 1208 1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe Token: SeTcbPrivilege 1604 svchost.exe Token: SeTcbPrivilege 1604 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
svchost.exedescription pid process target process PID 1604 wrote to memory of 376 1604 svchost.exe 1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe PID 1604 wrote to memory of 376 1604 svchost.exe 1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe PID 1604 wrote to memory of 376 1604 svchost.exe 1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe"C:\Users\Admin\AppData\Local\Temp\1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe"C:\Users\Admin\AppData\Local\Temp\1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory