Analysis
-
max time kernel
165s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 19:48
Static task
static1
Behavioral task
behavioral1
Sample
491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe
Resource
win10v2004-20220414-en
General
-
Target
491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe
-
Size
3.8MB
-
MD5
9123f319c3564a94e30c1d9476ae299d
-
SHA1
29297f78a72d860abe5aa31999d36a8dfe7324bc
-
SHA256
491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7
-
SHA512
159ce7aaf5cd7ddf6da8d5c206867463fb4cca059ea1463f932183d7070bf23a60afee9390716ed1af788d1b0c7465ad5d4fad8dd59a688d98b9b5975deac557
Malware Config
Signatures
-
Glupteba Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3048-131-0x0000000001790000-0x0000000001E85000-memory.dmp family_glupteba behavioral2/memory/3048-132-0x0000000000400000-0x0000000001019000-memory.dmp family_glupteba behavioral2/memory/3360-135-0x0000000001790000-0x0000000001E85000-memory.dmp family_glupteba behavioral2/memory/3360-136-0x0000000000400000-0x0000000001019000-memory.dmp family_glupteba -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2592 created 3048 2592 svchost.exe 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe -
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 2192 csrss.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PurpleWaterfall = "\"C:\\Windows\\rss\\csrss.exe\"" 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe -
Drops file in Windows directory 2 IoCs
Processes:
491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exedescription ioc process File opened for modification C:\Windows\rss 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe File created C:\Windows\rss\csrss.exe 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exepid process 3048 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe 3048 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe 3360 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe 3360 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exesvchost.exedescription pid process Token: SeDebugPrivilege 3048 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe Token: SeImpersonatePrivilege 3048 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe Token: SeTcbPrivilege 2592 svchost.exe Token: SeTcbPrivilege 2592 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
svchost.exe491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.execmd.execmd.exedescription pid process target process PID 2592 wrote to memory of 3360 2592 svchost.exe 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe PID 2592 wrote to memory of 3360 2592 svchost.exe 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe PID 2592 wrote to memory of 3360 2592 svchost.exe 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe PID 3360 wrote to memory of 1460 3360 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe cmd.exe PID 3360 wrote to memory of 1460 3360 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe cmd.exe PID 1460 wrote to memory of 3956 1460 cmd.exe netsh.exe PID 1460 wrote to memory of 3956 1460 cmd.exe netsh.exe PID 3360 wrote to memory of 3236 3360 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe cmd.exe PID 3360 wrote to memory of 3236 3360 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe cmd.exe PID 3236 wrote to memory of 4624 3236 cmd.exe netsh.exe PID 3236 wrote to memory of 4624 3236 cmd.exe netsh.exe PID 3360 wrote to memory of 2192 3360 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe csrss.exe PID 3360 wrote to memory of 2192 3360 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe csrss.exe PID 3360 wrote to memory of 2192 3360 491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe"C:\Users\Admin\AppData\Local\Temp\491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe"C:\Users\Admin\AppData\Local\Temp\491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\83876a664c4b\83876a664c4b\83876a664c4b.exe" enable=yes4⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\rss\csrss.exeFilesize
3.8MB
MD59123f319c3564a94e30c1d9476ae299d
SHA129297f78a72d860abe5aa31999d36a8dfe7324bc
SHA256491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7
SHA512159ce7aaf5cd7ddf6da8d5c206867463fb4cca059ea1463f932183d7070bf23a60afee9390716ed1af788d1b0c7465ad5d4fad8dd59a688d98b9b5975deac557
-
C:\Windows\rss\csrss.exeFilesize
3.8MB
MD59123f319c3564a94e30c1d9476ae299d
SHA129297f78a72d860abe5aa31999d36a8dfe7324bc
SHA256491ebb5503b8c775001c514f3e07a368cb59c8955262e7423f1347bc836414c7
SHA512159ce7aaf5cd7ddf6da8d5c206867463fb4cca059ea1463f932183d7070bf23a60afee9390716ed1af788d1b0c7465ad5d4fad8dd59a688d98b9b5975deac557
-
memory/1460-137-0x0000000000000000-mapping.dmp
-
memory/2192-141-0x0000000000000000-mapping.dmp
-
memory/3048-131-0x0000000001790000-0x0000000001E85000-memory.dmpFilesize
7.0MB
-
memory/3048-132-0x0000000000400000-0x0000000001019000-memory.dmpFilesize
12.1MB
-
memory/3048-130-0x00000000013DE000-0x0000000001784000-memory.dmpFilesize
3.6MB
-
memory/3236-139-0x0000000000000000-mapping.dmp
-
memory/3360-133-0x0000000000000000-mapping.dmp
-
memory/3360-136-0x0000000000400000-0x0000000001019000-memory.dmpFilesize
12.1MB
-
memory/3360-135-0x0000000001790000-0x0000000001E85000-memory.dmpFilesize
7.0MB
-
memory/3360-134-0x00000000013E9000-0x000000000178F000-memory.dmpFilesize
3.6MB
-
memory/3956-138-0x0000000000000000-mapping.dmp
-
memory/4624-140-0x0000000000000000-mapping.dmp