General
Target

bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe

Filesize

3MB

Completed

20-05-2022 08:03

Task

behavioral1

Score
10/10
MD5

8c3064332c06033b41fa36b82aa425b5

SHA1

331a6343c6fbe5c5e22944f104bd86cb11c80d97

SHA256

bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8

SHA256

a53755532b237d3bb1ac5f1ad89adec66edae8ca913a1de433fdb46fbe4c7681643d6d9efa8174bed300ac60edf12bda34d36e148e2b543741a0a10ef17d8e01

Malware Config
Signatures 6

Filter: none

Persistence
  • Glupteba

    Description

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1108-56-0x00000000039A0000-0x0000000004092000-memory.dmpfamily_glupteba
    behavioral1/memory/1108-57-0x0000000000400000-0x000000000314A000-memory.dmpfamily_glupteba
    behavioral1/memory/2020-60-0x0000000000400000-0x000000000314A000-memory.dmpfamily_glupteba
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Suspicious behavior: EnumeratesProcesses
    bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exebfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe

    Reported IOCs

    pidprocess
    1108bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe
    2020bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe
  • Suspicious use of AdjustPrivilegeToken
    bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1108bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe
    Token: SeImpersonatePrivilege1108bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe
  • Suspicious use of WriteProcessMemory
    bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2020 wrote to memory of 16882020bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.execmd.exe
    PID 2020 wrote to memory of 16882020bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.execmd.exe
    PID 2020 wrote to memory of 16882020bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.execmd.exe
    PID 2020 wrote to memory of 16882020bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.execmd.exe
    PID 1688 wrote to memory of 16441688cmd.exenetsh.exe
    PID 1688 wrote to memory of 16441688cmd.exenetsh.exe
    PID 1688 wrote to memory of 16441688cmd.exenetsh.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe
    "C:\Users\Admin\AppData\Local\Temp\bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:1108
    • C:\Users\Admin\AppData\Local\Temp\bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe
      "C:\Users\Admin\AppData\Local\Temp\bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          PID:1644
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe ""
        PID:860
  • C:\Windows\system32\makecab.exe
    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220520100103.log C:\Windows\Logs\CBS\CbsPersist_20220520100103.cab
    PID:608
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Windows\rss\csrss.exe

                          MD5

                          f65b4348b6f8fb2a9e91d3619619746b

                          SHA1

                          13dc66df6102b790f5ec5268dac0e95b8c8d3e96

                          SHA256

                          71d52f5a6613907d4078cb8ed8fdf00afa3b7e11f8482fc544f1ad1edb442550

                          SHA512

                          4a24efa39ed9b210f1c107302a25d0c0836d9998cb98a1bd8b4276ffbcb18849d2b8ab413a4442ff5611948fa2626fed90bc7c735ba78dd0e876670a815d513a

                        • \Windows\rss\csrss.exe

                          MD5

                          f7fadbc3a600bb9d632fe4af86b21717

                          SHA1

                          20a3a1cd5872b9b9784436376e1ff91979548387

                          SHA256

                          2b555355a52da6b91ccd78ade59fef7969203f1ee4ec94f837e17a9e23164ebe

                          SHA512

                          5dc551116032d38ffd4985af4228776c77a04f84f468a19834ede5b21eb4fdc7a3fb9466d1c7cfc387bc2dc9b96c00e912379bfe68bdd9cee152a06bbad30c80

                        • \Windows\rss\csrss.exe

                          MD5

                          f65b4348b6f8fb2a9e91d3619619746b

                          SHA1

                          13dc66df6102b790f5ec5268dac0e95b8c8d3e96

                          SHA256

                          71d52f5a6613907d4078cb8ed8fdf00afa3b7e11f8482fc544f1ad1edb442550

                          SHA512

                          4a24efa39ed9b210f1c107302a25d0c0836d9998cb98a1bd8b4276ffbcb18849d2b8ab413a4442ff5611948fa2626fed90bc7c735ba78dd0e876670a815d513a

                        • memory/860-68-0x00000000031C0000-0x0000000003565000-memory.dmp

                        • memory/860-66-0x0000000000000000-mapping.dmp

                        • memory/1108-56-0x00000000039A0000-0x0000000004092000-memory.dmp

                        • memory/1108-57-0x0000000000400000-0x000000000314A000-memory.dmp

                        • memory/1108-55-0x00000000035F0000-0x0000000003995000-memory.dmp

                        • memory/1108-54-0x00000000035F0000-0x0000000003995000-memory.dmp

                        • memory/1644-63-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

                        • memory/1644-62-0x0000000000000000-mapping.dmp

                        • memory/1688-61-0x0000000000000000-mapping.dmp

                        • memory/2020-60-0x0000000000400000-0x000000000314A000-memory.dmp

                        • memory/2020-59-0x00000000032E0000-0x0000000003685000-memory.dmp

                        • memory/2020-58-0x00000000032E0000-0x0000000003685000-memory.dmp