Overview

overview

10

Static

static

97a9ca08fe...0d.exe

windows7_x64

10

97a9ca08fe...0d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 02:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97a9ca08fee98a34adfdb1e8e19559bff624bd7d094b2cd80c9629b7a426440d.exe

  • Size

    3.8MB

  • MD5

    6b25f01b08dada97878d7a7409b4c100

  • SHA1

    cc411194050b944d1a88223adaa76b99878c183c

  • SHA256

    97a9ca08fee98a34adfdb1e8e19559bff624bd7d094b2cd80c9629b7a426440d

  • SHA512

    b27dc0e29fb4f979647220072bdf3e05f51a022aa119a5fe24d6fbcdc357dc865f42eaae72791220b1bd71e5e94d72b0bbfb6fe7074e2a13a67e9f27bfe42427

Score
10/10
gluptebadropperloader

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 4 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97a9ca08fee98a34adfdb1e8e19559bff624bd7d094b2cd80c9629b7a426440d.exe
    "C:\Users\Admin\AppData\Local\Temp\97a9ca08fee98a34adfdb1e8e19559bff624bd7d094b2cd80c9629b7a426440d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Users\Admin\AppData\Local\Temp\97a9ca08fee98a34adfdb1e8e19559bff624bd7d094b2cd80c9629b7a426440d.exe
      "C:\Users\Admin\AppData\Local\Temp\97a9ca08fee98a34adfdb1e8e19559bff624bd7d094b2cd80c9629b7a426440d.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:116
      • C:\Users\Admin\AppData\Local\Temp\97a9ca08fee98a34adfdb1e8e19559bff624bd7d094b2cd80c9629b7a426440d.exe
        "C:\Users\Admin\AppData\Local\Temp\97a9ca08fee98a34adfdb1e8e19559bff624bd7d094b2cd80c9629b7a426440d.exe"
        3⤵
          PID:1892
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1048

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/116-132-0x0000000000000000-mapping.dmp
      Download
    • memory/116-133-0x0000000000400000-0x0000000000B0F000-memory.dmp
      Filesize

      7.1MB

      Download
    • memory/116-135-0x0000000000400000-0x0000000000B0F000-memory.dmp
      Filesize

      7.1MB

      Download
    • memory/116-136-0x0000000000400000-0x0000000000B0F000-memory.dmp
      Filesize

      7.1MB

      Download
    • memory/1892-137-0x0000000000000000-mapping.dmp
      Download
    • memory/1928-130-0x0000000002950000-0x0000000002CF6000-memory.dmp
      Filesize

      3.6MB

      Download
    • memory/1928-131-0x0000000002D00000-0x00000000033F5000-memory.dmp
      Filesize

      7.0MB

      Download