Overview

overview

10

Static

static

1

01180199.exe

windows7-x64

10

01180199.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2023 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01180199.exe

  • Size

    4.2MB

  • MD5

    ab84fb215b438459888e7ccab1ab1229

  • SHA1

    798aceec1ef27c24197f65d1cb587a65106f6890

  • SHA256

    98768d4f722a184379396f330d277f28db6a45e33c1408c2762f6050e008f673

  • SHA512

    5cafa3282324f12e2458fbbb50b8c19a6860fc9886dc0e5c8b935ddf5fb4274ddfc2073839af0ec94f201e7ce4c0d090c3231807da5bdd679754a7c1887d269b

  • SSDEEP

    98304:WMx5MZVT9tUPwkx/Zp8dUN0XdtIlqz+mQ+MULINK20lBzXQiq:WJ/W4mpYluqz+mD/LINKXlZg

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkit

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 16 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\01180199.exe
    "C:\Users\Admin\AppData\Local\Temp\01180199.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2180
    • C:\Users\Admin\AppData\Local\Temp\01180199.exe
      "C:\Users\Admin\AppData\Local\Temp\01180199.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:760
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1480
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3952
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3176
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4560
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3412
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4116
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:4640
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3424
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3284
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4220
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1304
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4908

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_elgyj1ew.mul.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      4e473a9868d6cc298da01eb0a8cc10bd

      SHA1

      fb222422d0b299647c9cf528636a8b02000097f6

      SHA256

      f7f66b3a406bd61a1f0c0011540326873ca2095926d1b4bac21e7ab42a88ce53

      SHA512

      d84813f2566313efc75eee8868f0fbef92a6e6552a3b747edf984cdd4d4338d15fbbf369cb3f894b0d4b146d5c70189f682e8941baf03999b10c19460a0ef13c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      ec70e23c8e6d266774505fe1aaa84543

      SHA1

      2e23fa3a76aa3f204ee339dfccdf03cadc1ce3ca

      SHA256

      8b3476169b08a16c096924b4c992b7422f621787f26afd61e434dfe399a3f1b3

      SHA512

      a63759d66f9f2843c3966ba0cd06ca1abc39202da75509fd6c374107ae8180776a2f70f3ba9c4c3e334fe345baec7385e7c6c423e7481a3b06687cb37f0e10b7

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      42e0fcac513a75ba9e087f37f5b3b635

      SHA1

      ac3daa5906d4b35720c9c4879170f4ad7c330210

      SHA256

      242fcc2361c6e4659e403befe8598ab985c6723d74957080bee757d7a73499f5

      SHA512

      ac69696145be2677c9dc15eac64c43ee6dd5fcacbcc99f70c62798564edecdacdc800a68b655a23a47fc886067e411a2ad98b503100ad5de64c83c8ac3184594

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      c1b891300c83c26007ee692516304f2b

      SHA1

      e088aedfdbbe1669d66d1abb2c6ad3b01bf8b96f

      SHA256

      70af009f20b3c7231a33805d58dd33a4587be8ae1bc060c5b307002d5aa7fc83

      SHA512

      d19b44c90d1c0e5ed4d1ce8df6fc25fc75dcdf89f7a117a054da34224eeb46ab8296b10265ee010206ae1c8663960ddedfe541b5872c480ade928a844feb5610

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      2585398954054348c12ad2dc7155edf8

      SHA1

      20ae90a2b56d2e4cfaae11dbf59c209bc806bc3c

      SHA256

      8490823584ebf73384edfb994de8594392ef2a922fd5eec73293059daabe79cf

      SHA512

      cfe501201604f9413aaee8fdc35b50f88cc60c1731791bd07c29931d1413d28eb1a0684afeb9caf41903ffb05239acc5da8506624fe794f81c51ec0a1b688126

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      ab84fb215b438459888e7ccab1ab1229

      SHA1

      798aceec1ef27c24197f65d1cb587a65106f6890

      SHA256

      98768d4f722a184379396f330d277f28db6a45e33c1408c2762f6050e008f673

      SHA512

      5cafa3282324f12e2458fbbb50b8c19a6860fc9886dc0e5c8b935ddf5fb4274ddfc2073839af0ec94f201e7ce4c0d090c3231807da5bdd679754a7c1887d269b

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      ab84fb215b438459888e7ccab1ab1229

      SHA1

      798aceec1ef27c24197f65d1cb587a65106f6890

      SHA256

      98768d4f722a184379396f330d277f28db6a45e33c1408c2762f6050e008f673

      SHA512

      5cafa3282324f12e2458fbbb50b8c19a6860fc9886dc0e5c8b935ddf5fb4274ddfc2073839af0ec94f201e7ce4c0d090c3231807da5bdd679754a7c1887d269b

      Download Submit

    • memory/760-261-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/760-231-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1480-180-0x0000000004B90000-0x0000000004BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1480-203-0x000000007F5E0000-0x000000007F5F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1480-192-0x0000000071460000-0x00000000717B4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1480-193-0x0000000004B90000-0x0000000004BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1480-191-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1480-190-0x0000000004B90000-0x0000000004BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2180-171-0x0000000007FC0000-0x0000000007FCA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2180-157-0x000000007F540000-0x000000007F550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2180-172-0x0000000008080000-0x0000000008116000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2180-173-0x0000000008020000-0x000000000802E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2180-174-0x0000000008120000-0x000000000813A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2180-175-0x0000000008060000-0x0000000008068000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2180-135-0x0000000005360000-0x0000000005396000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2180-170-0x0000000007E70000-0x0000000007E8E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2180-160-0x0000000070D40000-0x0000000071094000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2180-159-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2180-158-0x0000000007E90000-0x0000000007EC2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2180-136-0x0000000005B30000-0x0000000006158000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2180-138-0x0000000005930000-0x0000000005952000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2180-155-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2180-154-0x0000000008340000-0x00000000089BA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2180-139-0x00000000059D0000-0x0000000005A36000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2180-140-0x0000000005AB0000-0x0000000005B16000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2180-137-0x00000000054F0000-0x0000000005500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2180-150-0x0000000006920000-0x000000000693E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2180-151-0x0000000006E60000-0x0000000006EA4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2180-153-0x00000000054F0000-0x0000000005500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2180-152-0x0000000007C40000-0x0000000007CB6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2668-352-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-354-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-346-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-312-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-350-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-351-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-353-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-345-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-347-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-348-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-349-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2976-156-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2976-134-0x0000000002FE0000-0x00000000038CB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/2976-178-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3284-299-0x0000000070B20000-0x0000000070B6C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3284-288-0x0000000004C30000-0x0000000004C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3284-300-0x00000000712D0000-0x0000000071624000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3284-310-0x0000000004C30000-0x0000000004C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3284-311-0x000000007F830000-0x000000007F840000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3284-287-0x0000000004C30000-0x0000000004C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3412-246-0x0000000071440000-0x0000000071794000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3412-245-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3412-244-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3412-243-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4116-275-0x0000000070C00000-0x0000000070C4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4116-274-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4116-273-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4116-276-0x00000000713A0000-0x00000000716F4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4220-327-0x0000000070B20000-0x0000000070B6C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4220-338-0x000000007EE10000-0x000000007EE20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4220-328-0x00000000712B0000-0x0000000071604000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4220-326-0x0000000004C00000-0x0000000004C10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4220-325-0x0000000004C00000-0x0000000004C10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4220-324-0x0000000004C00000-0x0000000004C10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-230-0x0000000004C80000-0x0000000004C90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-220-0x0000000070E20000-0x0000000071174000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4560-219-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4560-217-0x0000000004C80000-0x0000000004C90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-218-0x0000000004C80000-0x0000000004C90000-memory.dmp

      Filesize

      64KB

      Download