glupteba | cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15

Analysis

max time kernel
105s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 17:22

Target

cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
Size

5.1MB
MD5

bb1d7230fb4b22c827436a7dd76cf63f
SHA1

d74525bfa6e970e2f9bc74ec35d5755473160720
SHA256

cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15
SHA512

1d03ba3a54253f3ec0cecaccd1bd92d4737c847d0d3aaff8139f5573774458ed35057122ef27c1082c1b0b27cb6a463aa88731e39fd519bf6de39df21b68e68e

Score

10^/10

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4732-133-0x0000000000400000-0x0000000000AE9000-memory.dmp	family_glupteba
behavioral2/memory/4732-135-0x0000000000400000-0x0000000000AE9000-memory.dmp	family_glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4456 created 4732 4456 svchost.exe cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe

description	pid	process	target process
PID 4456 created 4732	4456	svchost.exe	cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe

pid	process
4732	cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
4732	cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
4732	cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
4732	cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
4732	cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
4732	cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
4732	cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
4732	cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4732	cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
Token: SeImpersonatePrivilege	4732	cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
Token: SeTcbPrivilege	4456	svchost.exe
Token: SeTcbPrivilege	4456	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 4456 wrote to memory of 3112	4456	svchost.exe	cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
PID 4456 wrote to memory of 3112	4456	svchost.exe	cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
PID 4456 wrote to memory of 3112	4456	svchost.exe	cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe

C:\Users\Admin\AppData\Local\Temp\cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe
"C:\Users\Admin\AppData\Local\Temp\cb934d88760dd5dd7c103eb1de62afb9dfea2bd717aba016d21373224cfffd15.exe"
2⤵
PID:3112

memory/3112-134-0x0000000000000000-mapping.dmp

Download
memory/4732-132-0x0000000002C22000-0x0000000002FB9000-memory.dmp

Filesize
3.6MB

Download
memory/4732-133-0x0000000000400000-0x0000000000AE9000-memory.dmp

Filesize
6.9MB

Download
memory/4732-135-0x0000000000400000-0x0000000000AE9000-memory.dmp

Filesize
6.9MB

Download