Analysis
-
max time kernel
105s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 17:22
Static task
static1
Behavioral task
behavioral1
Sample
cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
Resource
win7-20220715-en
windows7-x64
15 signatures
150 seconds
General
-
Target
cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
-
Size
5.1MB
-
MD5
bb1d7230fb4b22c827436a7dd76cf63f
-
SHA1
d74525bfa6e970e2f9bc74ec35d5755473160720
-
SHA256
cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15
-
SHA512
1d03ba3a54253f3ec0cecaccd1bd92d4737c847d0d3aaff8139f5573774458ed35057122ef27c1082c1b0b27cb6a463aa88731e39fd519bf6de39df21b68e68e
Malware Config
Signatures
-
Glupteba payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4732-133-0x0000000000400000-0x0000000000AE9000-memory.dmp family_glupteba behavioral2/memory/4732-135-0x0000000000400000-0x0000000000AE9000-memory.dmp family_glupteba -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4456 created 4732 4456 svchost.exe cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exepid process 4732 cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe 4732 cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe 4732 cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe 4732 cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe 4732 cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe 4732 cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe 4732 cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe 4732 cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exesvchost.exedescription pid process Token: SeDebugPrivilege 4732 cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe Token: SeImpersonatePrivilege 4732 cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe Token: SeTcbPrivilege 4456 svchost.exe Token: SeTcbPrivilege 4456 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
svchost.exedescription pid process target process PID 4456 wrote to memory of 3112 4456 svchost.exe cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe PID 4456 wrote to memory of 3112 4456 svchost.exe cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe PID 4456 wrote to memory of 3112 4456 svchost.exe cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe"C:\Users\Admin\AppData\Local\Temp\cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe"C:\Users\Admin\AppData\Local\Temp\cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3112-134-0x0000000000000000-mapping.dmp
-
memory/4732-132-0x0000000002C22000-0x0000000002FB9000-memory.dmpFilesize
3.6MB
-
memory/4732-133-0x0000000000400000-0x0000000000AE9000-memory.dmpFilesize
6.9MB
-
memory/4732-135-0x0000000000400000-0x0000000000AE9000-memory.dmpFilesize
6.9MB