Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2022 01:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    590cac9fc69bf7d12bf7ab7de907b00b9a1da0ed23f68ff536b75796c10ca6c7.exe

  • Size

    4.1MB

  • MD5

    1f788878ba94f192dbe2b03164d7091c

  • SHA1

    d6138b8c42969871d22cbe2770396908f23961e0

  • SHA256

    590cac9fc69bf7d12bf7ab7de907b00b9a1da0ed23f68ff536b75796c10ca6c7

  • SHA512

    2dc4ce062a51768bd5272605750cc04358eb53a69f10c247721ecb469bd7b2475d3e5be059210b512de45af18fcf74e3beff356e053a97eb1afb556090fa1300

  • SSDEEP

    98304:LBYslVgY6kBPq4RNwR/5EIbtUSupLH82MKeaS40Kh:Ndo4Rap5EIbjuQkh

Score
10/10
gluptebadropperevasionloaderpersistence

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\590cac9fc69bf7d12bf7ab7de907b00b9a1da0ed23f68ff536b75796c10ca6c7.exe
    "C:\Users\Admin\AppData\Local\Temp\590cac9fc69bf7d12bf7ab7de907b00b9a1da0ed23f68ff536b75796c10ca6c7.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3716
    • C:\Users\Admin\AppData\Local\Temp\590cac9fc69bf7d12bf7ab7de907b00b9a1da0ed23f68ff536b75796c10ca6c7.exe
      "C:\Users\Admin\AppData\Local\Temp\590cac9fc69bf7d12bf7ab7de907b00b9a1da0ed23f68ff536b75796c10ca6c7.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4256
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3992
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        PID:2200
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 860
        3⤵
        • Program crash
        PID:3620
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 896
      2⤵
      • Program crash
      PID:2976
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1568
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3716 -ip 3716
    1⤵
      PID:4548
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1016 -ip 1016
      1⤵
        PID:4920

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\rss\csrss.exe
        Filesize

        4.1MB

        MD5

        1f788878ba94f192dbe2b03164d7091c

        SHA1

        d6138b8c42969871d22cbe2770396908f23961e0

        SHA256

        590cac9fc69bf7d12bf7ab7de907b00b9a1da0ed23f68ff536b75796c10ca6c7

        SHA512

        2dc4ce062a51768bd5272605750cc04358eb53a69f10c247721ecb469bd7b2475d3e5be059210b512de45af18fcf74e3beff356e053a97eb1afb556090fa1300

        Download Submit

      • C:\Windows\rss\csrss.exe
        Filesize

        4.1MB

        MD5

        1f788878ba94f192dbe2b03164d7091c

        SHA1

        d6138b8c42969871d22cbe2770396908f23961e0

        SHA256

        590cac9fc69bf7d12bf7ab7de907b00b9a1da0ed23f68ff536b75796c10ca6c7

        SHA512

        2dc4ce062a51768bd5272605750cc04358eb53a69f10c247721ecb469bd7b2475d3e5be059210b512de45af18fcf74e3beff356e053a97eb1afb556090fa1300

        Download Submit

      • memory/1016-139-0x0000000002A1C000-0x0000000002E05000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/1016-144-0x0000000000400000-0x0000000000C91000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/1016-135-0x0000000000000000-mapping.dmp

        Download

      • memory/1016-140-0x0000000000400000-0x0000000000C91000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/2200-141-0x0000000000000000-mapping.dmp

        Download

      • memory/3716-132-0x0000000002C1F000-0x0000000003008000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/3716-136-0x0000000000400000-0x0000000000C91000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/3716-134-0x0000000000400000-0x0000000000C91000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/3716-133-0x0000000003010000-0x0000000003886000-memory.dmp

        Filesize

        8.5MB

        Download

      • memory/3992-138-0x0000000000000000-mapping.dmp

        Download

      • memory/4256-137-0x0000000000000000-mapping.dmp

        Download