Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    79s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2023, 19:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d470c2f5cf072dbd0d2c971e952751fb49a902b37d36f64758536b2fc6b602b.exe

  • Size

    4.1MB

  • MD5

    664b5c2890208e1fc1342f5355228429

  • SHA1

    fd755f12549bbb17502a39c5dee6494e9a3134d0

  • SHA256

    9d470c2f5cf072dbd0d2c971e952751fb49a902b37d36f64758536b2fc6b602b

  • SHA512

    2b5e5251513bb51156e1c7338cb830277913b106c8aed39d751a2402689188704047eb1f4297de6ce14792e29bba5593260f3ab619b4ed1b0244c559f430e7a7

  • SSDEEP

    98304:8wTYwnYaXv/mW1LwhFPQ8+M3pkhaRJ+Xc15yds:89wnxf/mW1shFsM5kA8c10s

Score
10/10
gluptebadropperevasionloaderpersistence

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 5 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d470c2f5cf072dbd0d2c971e952751fb49a902b37d36f64758536b2fc6b602b.exe
    "C:\Users\Admin\AppData\Local\Temp\9d470c2f5cf072dbd0d2c971e952751fb49a902b37d36f64758536b2fc6b602b.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1176
    • C:\Users\Admin\AppData\Local\Temp\9d470c2f5cf072dbd0d2c971e952751fb49a902b37d36f64758536b2fc6b602b.exe
      "C:\Users\Admin\AppData\Local\Temp\9d470c2f5cf072dbd0d2c971e952751fb49a902b37d36f64758536b2fc6b602b.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:640
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3600
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:4588
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4596
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1248
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        PID:2336

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4l2tzput.0z0.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    19KB

    MD5

    1d90ca02583ae8024622041bb430e3b5

    SHA1

    62ac7229e4768a16b1fe51813753e671fd22c963

    SHA256

    62833ed4fafaf45c7cfac6e1d504efd1dc09395f18b40394174b4611d7c0bce7

    SHA512

    ca214c6788b304e976f95cccace592c94a6ee8a15ba6d9f524d0d0b061fda8a55c486cd2e1f205c025f7182b582d88a3e2fa85dc3a2c38581376519ace3f2280

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    19KB

    MD5

    d0dec854a9639c50990d0bfbb6854ebe

    SHA1

    cd9b194c26419711d6fbec75ff23d6fa083e650a

    SHA256

    e7c4a34652934353327ebe6cf4ddaae4f5ef8f80ecaa688dba45600a3dd85e61

    SHA512

    0a395ca4f3c5ca7e6611b27f0b71d38a27771c97a9b99fda8cf6e6d4e0c5ff18a693a4e308382fdc9322c103c2f4d1c6e556decc27460a9688173979efff616b

    Download Submit

  • C:\Windows\rss\csrss.exe
    Filesize

    4.1MB

    MD5

    664b5c2890208e1fc1342f5355228429

    SHA1

    fd755f12549bbb17502a39c5dee6494e9a3134d0

    SHA256

    9d470c2f5cf072dbd0d2c971e952751fb49a902b37d36f64758536b2fc6b602b

    SHA512

    2b5e5251513bb51156e1c7338cb830277913b106c8aed39d751a2402689188704047eb1f4297de6ce14792e29bba5593260f3ab619b4ed1b0244c559f430e7a7

    Download Submit

  • C:\Windows\rss\csrss.exe
    Filesize

    4.1MB

    MD5

    664b5c2890208e1fc1342f5355228429

    SHA1

    fd755f12549bbb17502a39c5dee6494e9a3134d0

    SHA256

    9d470c2f5cf072dbd0d2c971e952751fb49a902b37d36f64758536b2fc6b602b

    SHA512

    2b5e5251513bb51156e1c7338cb830277913b106c8aed39d751a2402689188704047eb1f4297de6ce14792e29bba5593260f3ab619b4ed1b0244c559f430e7a7

    Download Submit

  • memory/640-191-0x00000000048E0000-0x00000000048F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/640-189-0x00000000048E0000-0x00000000048F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/640-190-0x00000000048E0000-0x00000000048F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/640-203-0x000000007F5B0000-0x000000007F5C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/640-193-0x0000000070E90000-0x00000000711E4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/640-192-0x00000000706F0000-0x000000007073C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/796-173-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/796-134-0x0000000002E70000-0x000000000375B000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/796-206-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1176-171-0x0000000007260000-0x000000000726A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1176-174-0x00000000072D0000-0x00000000072DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1176-155-0x0000000006F70000-0x0000000006F8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1176-156-0x0000000002630000-0x0000000002640000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1176-157-0x0000000007120000-0x0000000007152000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1176-158-0x00000000706F0000-0x000000007073C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1176-159-0x0000000070890000-0x0000000070BE4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1176-169-0x0000000004920000-0x000000000493E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1176-170-0x000000007FBF0000-0x000000007FC00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1176-153-0x0000000006EF0000-0x0000000006F66000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1176-172-0x0000000007330000-0x00000000073C6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1176-152-0x0000000006B90000-0x0000000006BD4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1176-151-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1176-143-0x0000000005480000-0x00000000054E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1176-140-0x0000000005410000-0x0000000005476000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1176-139-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1176-138-0x0000000004CE0000-0x0000000005308000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1176-154-0x00000000075F0000-0x0000000007C6A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1176-175-0x00000000073D0000-0x00000000073EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1176-176-0x0000000007310000-0x0000000007318000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1176-135-0x00000000025C0000-0x00000000025F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1176-136-0x0000000002630000-0x0000000002640000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1176-137-0x0000000002630000-0x0000000002640000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1248-246-0x0000000002D40000-0x0000000002D50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1248-234-0x0000000002D40000-0x0000000002D50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1248-235-0x0000000002D40000-0x0000000002D50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1248-247-0x00000000706F0000-0x000000007073C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1248-248-0x0000000070E90000-0x00000000711E4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1248-258-0x000000007F240000-0x000000007F250000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1712-231-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1712-263-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4596-232-0x000000007F2B0000-0x000000007F2C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-220-0x00000000706F0000-0x000000007073C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4596-221-0x0000000070890000-0x0000000070BE4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4596-219-0x0000000004860000-0x0000000004870000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-218-0x0000000004860000-0x0000000004870000-memory.dmp

    Filesize

    64KB

    Download