glupteba | 1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b

General

Target

1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe
Size

3.8MB
MD5

e66b0b2bb9191a0b029350e70314ed76
SHA1

10f1b8ceaaeb02d6c5d07db2c3feddcf07f1b452
SHA256

1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b
SHA512

33a49eafdf4959a97570984a1359c06c6a2f42500d1579c17f37593854c390592b36d0bf6ef68af3aee8fb4d20e14dcde7d865d1aa997b25787f72788fcfff0f

Score

10^/10

glupteba dropper evasion loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2432-131-0x0000000001A00000-0x00000000020F5000-memory.dmp	family_glupteba
behavioral2/memory/2432-132-0x0000000000400000-0x0000000001019000-memory.dmp	family_glupteba
behavioral2/memory/4280-138-0x0000000000400000-0x0000000001019000-memory.dmp	family_glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3692 created 2432 3692 svchost.exe 1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

1252 csrss.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	pid	process	target process
PID 3692 created 2432	3692	svchost.exe	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe

pid	process
1252	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WitheredPaper = "\"C:\\Windows\\rss\\csrss.exe\""	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe

Drops file in Windows directory 2 IoCs

Processes:

1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe

description	ioc	process
File opened for modification	C:\Windows\rss	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe
File created	C:\Windows\rss\csrss.exe	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe

pid	process
2432	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe
2432	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe
4280	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe
4280	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2432	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe
Token: SeImpersonatePrivilege	2432	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe
Token: SeTcbPrivilege	3692	svchost.exe
Token: SeTcbPrivilege	3692	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

svchost.exe1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.execmd.execmd.exe

description	pid	process	target process
PID 3692 wrote to memory of 4280	3692	svchost.exe	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe
PID 3692 wrote to memory of 4280	3692	svchost.exe	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe
PID 3692 wrote to memory of 4280	3692	svchost.exe	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe
PID 4280 wrote to memory of 960	4280	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe	cmd.exe
PID 4280 wrote to memory of 960	4280	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe	cmd.exe
PID 960 wrote to memory of 4076	960	cmd.exe	netsh.exe
PID 960 wrote to memory of 4076	960	cmd.exe	netsh.exe
PID 4280 wrote to memory of 2308	4280	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe	cmd.exe
PID 4280 wrote to memory of 2308	4280	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe	cmd.exe
PID 2308 wrote to memory of 4496	2308	cmd.exe	netsh.exe
PID 2308 wrote to memory of 4496	2308	cmd.exe	netsh.exe
PID 4280 wrote to memory of 1252	4280	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe	csrss.exe
PID 4280 wrote to memory of 1252	4280	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe	csrss.exe
PID 4280 wrote to memory of 1252	4280	1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe
"C:\Users\Admin\AppData\Local\Temp\1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Users\Admin\AppData\Local\Temp\1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe
"C:\Users\Admin\AppData\Local\Temp\1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23\f02377ff5b23.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23\f02377ff5b23.exe" enable=yes
4⤵
PID:4496

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Executes dropped EXE
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
3.8MB

MD5
e66b0b2bb9191a0b029350e70314ed76

SHA1
10f1b8ceaaeb02d6c5d07db2c3feddcf07f1b452

SHA256
1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b

SHA512
33a49eafdf4959a97570984a1359c06c6a2f42500d1579c17f37593854c390592b36d0bf6ef68af3aee8fb4d20e14dcde7d865d1aa997b25787f72788fcfff0f

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.8MB

MD5
e66b0b2bb9191a0b029350e70314ed76

SHA1
10f1b8ceaaeb02d6c5d07db2c3feddcf07f1b452

SHA256
1352f3f536e19bfe7372ed68f212905471d5b1d00612dcffd6bb062bd2e5180b

SHA512
33a49eafdf4959a97570984a1359c06c6a2f42500d1579c17f37593854c390592b36d0bf6ef68af3aee8fb4d20e14dcde7d865d1aa997b25787f72788fcfff0f

Download Submit
memory/960-134-0x0000000000000000-mapping.dmp

Download
memory/1252-140-0x0000000000000000-mapping.dmp

Download
memory/2308-137-0x0000000000000000-mapping.dmp

Download
memory/2432-131-0x0000000001A00000-0x00000000020F5000-memory.dmp

Filesize
7.0MB

Download
memory/2432-132-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/2432-130-0x0000000001656000-0x00000000019FC000-memory.dmp

Filesize
3.6MB

Download
memory/4076-135-0x0000000000000000-mapping.dmp

Download
memory/4280-136-0x00000000012B9000-0x000000000165F000-memory.dmp

Filesize
3.6MB

Download
memory/4280-138-0x0000000000400000-0x0000000001019000-memory.dmp

Filesize
12.1MB

Download
memory/4280-133-0x0000000000000000-mapping.dmp

Download
memory/4496-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads