Overview

overview

10

Static

static

dd4053232a...08.exe

windows7-x64

10

dd4053232a...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    108s
  • max time network
    252s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe

  • Size

    5.0MB

  • MD5

    ca4b4c1d1446f489b86d26437a0eb7ee

  • SHA1

    7fb5c07d3f6658e12a35da6d98c57e9d8427d47d

  • SHA256

    dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08

  • SHA512

    7847515ad733efdf9fa60139563980f6c6ed79dc944d5624857a64d9a073a7341a5dbc5e4f423bdfc7e5cd88cce25fbb39ab2d6c171c14845e9fee6b18d5f176

  • SSDEEP

    98304:RlLfucpPn8x3xZNcU2UgWZEbS6h/klBbp3FZW3tLIfxtGheHLNROgBTd:Rl/Bwfc7uF3btRUq

Score
10/10
gluptebadropperevasionloader

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 6 IoCs
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
    "C:\Users\Admin\AppData\Local\Temp\dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe"
    1⤵
      PID:1460
      • C:\Users\Admin\AppData\Local\Temp\dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe
        "C:\Users\Admin\AppData\Local\Temp\dd4053232afbb1246e76849c6bae2316ab2a9a7e678e61486f165301ff53ec08.exe"
        2⤵
          PID:2856
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:3252
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                PID:2984
            • C:\Windows\system32\cmd.exe
              C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"
              3⤵
                PID:368
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes
                  4⤵
                  • Modifies Windows Firewall
                  PID:2260
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
            1⤵
              PID:2848

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Modify Existing Service

            1
            T1031

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/368-146-0x0000000000000000-mapping.dmp
              Download
            • memory/1460-133-0x0000000003343000-0x00000000036DB000-memory.dmp
              Filesize

              3.6MB

              Download
            • memory/1460-134-0x0000000000400000-0x0000000001114000-memory.dmp
              Filesize

              13.1MB

              Download
            • memory/1460-135-0x0000000000400000-0x0000000001114000-memory.dmp
              Filesize

              13.1MB

              Download
            • memory/1460-136-0x0000000000400000-0x0000000001114000-memory.dmp
              Filesize

              13.1MB

              Download
            • memory/1460-138-0x0000000000400000-0x0000000001114000-memory.dmp
              Filesize

              13.1MB

              Download
            • memory/1460-139-0x0000000003343000-0x00000000036DB000-memory.dmp
              Filesize

              3.6MB

              Download
            • memory/1460-132-0x0000000000400000-0x0000000001114000-memory.dmp
              Filesize

              13.1MB

              Download
            • memory/2260-147-0x0000000000000000-mapping.dmp
              Download
            • memory/2856-140-0x0000000000400000-0x0000000001114000-memory.dmp
              Filesize

              13.1MB

              Download
            • memory/2856-142-0x0000000000400000-0x0000000001114000-memory.dmp
              Filesize

              13.1MB

              Download
            • memory/2856-145-0x0000000000400000-0x0000000001114000-memory.dmp
              Filesize

              13.1MB

              Download
            • memory/2856-141-0x0000000003287000-0x000000000361F000-memory.dmp
              Filesize

              3.6MB

              Download
            • memory/2856-137-0x0000000000000000-mapping.dmp
              Download
            • memory/2984-144-0x0000000000000000-mapping.dmp
              Download
            • memory/3252-143-0x0000000000000000-mapping.dmp
              Download