Analysis
-
max time kernel
40s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 07:03
Static task
static1
Behavioral task
behavioral1
Sample
bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe
Resource
win7-20220414-en
General
-
Target
bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe
-
Size
3.8MB
-
MD5
8c3064332c06033b41fa36b82aa425b5
-
SHA1
331a6343c6fbe5c5e22944f104bd86cb11c80d97
-
SHA256
bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8
-
SHA512
a53755532b237d3bb1ac5f1ad89adec66edae8ca913a1de433fdb46fbe4c7681643d6d9efa8174bed300ac60edf12bda34d36e148e2b543741a0a10ef17d8e01
Malware Config
Signatures
-
Glupteba Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1108-56-0x00000000039A0000-0x0000000004092000-memory.dmp family_glupteba behavioral1/memory/1108-57-0x0000000000400000-0x000000000314A000-memory.dmp family_glupteba behavioral1/memory/2020-60-0x0000000000400000-0x000000000314A000-memory.dmp family_glupteba -
Modifies Windows Firewall 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exebfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exepid process 1108 bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe 2020 bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exedescription pid process Token: SeDebugPrivilege 1108 bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe Token: SeImpersonatePrivilege 1108 bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.execmd.exedescription pid process target process PID 2020 wrote to memory of 1688 2020 bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe cmd.exe PID 2020 wrote to memory of 1688 2020 bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe cmd.exe PID 2020 wrote to memory of 1688 2020 bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe cmd.exe PID 2020 wrote to memory of 1688 2020 bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe cmd.exe PID 1688 wrote to memory of 1644 1688 cmd.exe netsh.exe PID 1688 wrote to memory of 1644 1688 cmd.exe netsh.exe PID 1688 wrote to memory of 1644 1688 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe"C:\Users\Admin\AppData\Local\Temp\bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe"C:\Users\Admin\AppData\Local\Temp\bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220520100103.log C:\Windows\Logs\CBS\CbsPersist_20220520100103.cab1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\rss\csrss.exeFilesize
2.8MB
MD5f65b4348b6f8fb2a9e91d3619619746b
SHA113dc66df6102b790f5ec5268dac0e95b8c8d3e96
SHA25671d52f5a6613907d4078cb8ed8fdf00afa3b7e11f8482fc544f1ad1edb442550
SHA5124a24efa39ed9b210f1c107302a25d0c0836d9998cb98a1bd8b4276ffbcb18849d2b8ab413a4442ff5611948fa2626fed90bc7c735ba78dd0e876670a815d513a
-
\Windows\rss\csrss.exeFilesize
2.9MB
MD5f7fadbc3a600bb9d632fe4af86b21717
SHA120a3a1cd5872b9b9784436376e1ff91979548387
SHA2562b555355a52da6b91ccd78ade59fef7969203f1ee4ec94f837e17a9e23164ebe
SHA5125dc551116032d38ffd4985af4228776c77a04f84f468a19834ede5b21eb4fdc7a3fb9466d1c7cfc387bc2dc9b96c00e912379bfe68bdd9cee152a06bbad30c80
-
\Windows\rss\csrss.exeFilesize
2.8MB
MD5f65b4348b6f8fb2a9e91d3619619746b
SHA113dc66df6102b790f5ec5268dac0e95b8c8d3e96
SHA25671d52f5a6613907d4078cb8ed8fdf00afa3b7e11f8482fc544f1ad1edb442550
SHA5124a24efa39ed9b210f1c107302a25d0c0836d9998cb98a1bd8b4276ffbcb18849d2b8ab413a4442ff5611948fa2626fed90bc7c735ba78dd0e876670a815d513a
-
memory/860-68-0x00000000031C0000-0x0000000003565000-memory.dmpFilesize
3.6MB
-
memory/860-66-0x0000000000000000-mapping.dmp
-
memory/1108-54-0x00000000035F0000-0x0000000003995000-memory.dmpFilesize
3.6MB
-
memory/1108-55-0x00000000035F0000-0x0000000003995000-memory.dmpFilesize
3.6MB
-
memory/1108-56-0x00000000039A0000-0x0000000004092000-memory.dmpFilesize
6.9MB
-
memory/1108-57-0x0000000000400000-0x000000000314A000-memory.dmpFilesize
45.3MB
-
memory/1644-63-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmpFilesize
8KB
-
memory/1644-62-0x0000000000000000-mapping.dmp
-
memory/1688-61-0x0000000000000000-mapping.dmp
-
memory/2020-60-0x0000000000400000-0x000000000314A000-memory.dmpFilesize
45.3MB
-
memory/2020-59-0x00000000032E0000-0x0000000003685000-memory.dmpFilesize
3.6MB
-
memory/2020-58-0x00000000032E0000-0x0000000003685000-memory.dmpFilesize
3.6MB