Overview

overview

10

Static

static

d138d2e8b8...56.exe

windows7-x64

10

d138d2e8b8...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d138d2e8b8db734a3454f3288604adea74946bab5350187e5bdd0b73e38a0956.exe

  • Size

    3.7MB

  • MD5

    ad2b83150300987958b84e85618c4b9f

  • SHA1

    960b6c9b85a010bd51aacbdb2c4750d8d47cba7b

  • SHA256

    d138d2e8b8db734a3454f3288604adea74946bab5350187e5bdd0b73e38a0956

  • SHA512

    9b83e40628f076ffc38ea4ecfc026e51be2f482cd7ebe6373bb389cf5dae218a8f788abc03f44c4e1c23500aa53ced9f733c68cddba1bc9abef408c692d0c8f1

Score
10/10
gluptebadropperevasionloaderpersistence

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 7 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d138d2e8b8db734a3454f3288604adea74946bab5350187e5bdd0b73e38a0956.exe
    "C:\Users\Admin\AppData\Local\Temp\d138d2e8b8db734a3454f3288604adea74946bab5350187e5bdd0b73e38a0956.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3180
    • C:\Users\Admin\AppData\Local\Temp\d138d2e8b8db734a3454f3288604adea74946bab5350187e5bdd0b73e38a0956.exe
      "C:\Users\Admin\AppData\Local\Temp\d138d2e8b8db734a3454f3288604adea74946bab5350187e5bdd0b73e38a0956.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3588
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:4392
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3684
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe ""
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        PID:2396
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\rss\csrss.exe
    Filesize

    3.7MB

    MD5

    ad2b83150300987958b84e85618c4b9f

    SHA1

    960b6c9b85a010bd51aacbdb2c4750d8d47cba7b

    SHA256

    d138d2e8b8db734a3454f3288604adea74946bab5350187e5bdd0b73e38a0956

    SHA512

    9b83e40628f076ffc38ea4ecfc026e51be2f482cd7ebe6373bb389cf5dae218a8f788abc03f44c4e1c23500aa53ced9f733c68cddba1bc9abef408c692d0c8f1

    Download Submit
  • C:\Windows\rss\csrss.exe
    Filesize

    3.7MB

    MD5

    ad2b83150300987958b84e85618c4b9f

    SHA1

    960b6c9b85a010bd51aacbdb2c4750d8d47cba7b

    SHA256

    d138d2e8b8db734a3454f3288604adea74946bab5350187e5bdd0b73e38a0956

    SHA512

    9b83e40628f076ffc38ea4ecfc026e51be2f482cd7ebe6373bb389cf5dae218a8f788abc03f44c4e1c23500aa53ced9f733c68cddba1bc9abef408c692d0c8f1

    Download Submit
  • memory/1784-141-0x0000000000000000-mapping.dmp
    Download
  • memory/2176-138-0x0000000000400000-0x0000000000B0A000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/2176-137-0x00000000028D3000-0x0000000002C77000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2176-146-0x0000000000400000-0x0000000000B0A000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/2176-134-0x0000000000000000-mapping.dmp
    Download
  • memory/2396-143-0x0000000000000000-mapping.dmp
    Download
  • memory/2396-147-0x0000000002D00000-0x00000000030A4000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2396-148-0x0000000000400000-0x0000000000B0A000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/3180-130-0x0000000002913000-0x0000000002CB7000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/3180-133-0x0000000000400000-0x0000000000B0A000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/3180-136-0x0000000000400000-0x0000000000B0A000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/3180-132-0x0000000002913000-0x0000000002CB7000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/3180-131-0x0000000002CC0000-0x00000000033AF000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3180-135-0x0000000002CC0000-0x00000000033AF000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3588-139-0x0000000000000000-mapping.dmp
    Download
  • memory/3684-142-0x0000000000000000-mapping.dmp
    Download
  • memory/4392-140-0x0000000000000000-mapping.dmp
    Download