Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
18-05-2023 09:58
General
-
Target
e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46.exe
-
Size
4.2MB
-
MD5
11ab111ec46b24ac0e8822e3f1a88ffe
-
SHA1
80ae5ba81f6edab19dd3eefdab3de31ffd252ba0
-
SHA256
e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46
-
SHA512
08b7b061b32de65126bd22c8e04a917332c78e8fb77b660e35ebccf5cdfd5fbd07fb7f76efbb221da0f2cdc5a279aac6a26e8c0749b6dd862a9791da1b7274cb
-
SSDEEP
98304:eRm1FI4Ofs4hghp/MO0myowzLWwPA6QaCj20M9u8R69Afm/Q:km0lfCbR/wzqGAbaCjcQC
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 17 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46.exe"C:\Users\Admin\AppData\Local\Temp\e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46.exe"C:\Users\Admin\AppData\Local\Temp\e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe4⤵
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
19KB
MD57071fd28c75b53cfc3cf1996cbc020e5
SHA15375e175a195cd6d3580510a4371127cd586214c
SHA2561be62bb2d91d4ff5ba3e81fc048e90f4b90f9d57af31c19750c0fad28eea3af4
SHA51280d23117fca750fcda74f2954e7ce8f4b6cd68eed3d868515ee8fb3ff40cceea22953bf1f7df38698e97610952b7fa6ede1cf67d9f8d28984ddb055ff8c7fba3
-
Filesize
19KB
MD50b8e71a41b252ae92c0d52754652f034
SHA1ff2f057447b2645cee47799d6c3d800453240a52
SHA2569e7e099ed3967b2c7acaca7efe3e94ad7356cd89abedab29c8342dfcba332539
SHA51264129a60e3e8614faa275dce2c0ec7b1706d83461827ef0c783b9c00126cff3cc827d6681ea5e1ac019b446dad0d7d062b1f3c401f31eedb348decb026325c44
-
Filesize
19KB
MD55f61812f0b2870d2b4325e411b18f0fe
SHA1f8b10fcd91434c40942036539dab29ffc8699598
SHA256bac0b77b32833d0c7ab598f510a593b82f016cdaf67e4858f9ee243af1a4a7e9
SHA51282da04b50dc02ef683ad3118f8c1c2f8f6206a6061f40d0290d8efc0412cc44ec7065377eab167caa04d405d959fa74f773f6719250adb8608d5d5d2f32f24d1
-
Filesize
19KB
MD580b326d6129e9a86fec4878354c0da69
SHA151350795ae2fea4e57243d6a72b990ba025c564a
SHA25618ee9f79551dd38a03782c7569999c7e8a8db5d3c208c5be6fa46999149db8b3
SHA5121c827bf684683da542bc833929a41e96b1b5b78877ef3d905d5cb734044357749631ecba1b4b95c487af892761cf21c1fa4132dd16cd0d148d46752c55acb98e
-
Filesize
19KB
MD5b516c801be8f5cff2f89848c19e7ff46
SHA139652f4cb22704a207c5f946c03ca9423c774f63
SHA256ab57b6aa61512554c88470f8ea96d31a305bd0605de17b7c0b89e5516040d4ae
SHA5120f63144de74a7c2e7feabba1dbead46ffc72bf039ba0fa3e1924645f5ce3347d5320151276e8a43d515b1539ba23187c7058e955c2f39576192cdfc699b67286
-
Filesize
4.2MB
MD511ab111ec46b24ac0e8822e3f1a88ffe
SHA180ae5ba81f6edab19dd3eefdab3de31ffd252ba0
SHA256e58a15345e96ddefc00b5e356a26743d9cda21b64b42f305e0b46d0db9cf6c46
SHA51208b7b061b32de65126bd22c8e04a917332c78e8fb77b660e35ebccf5cdfd5fbd07fb7f76efbb221da0f2cdc5a279aac6a26e8c0749b6dd862a9791da1b7274cb
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
64KB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
4.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
304KB
-
Filesize
56KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
272KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
6.5MB
-
Filesize
8.1MB