Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

09751399.exe

windows7-x64

10

09751399.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2023, 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09751399.exe

  • Size

    4.2MB

  • MD5

    289257051a7e30f837a00b4186b47501

  • SHA1

    322971cb7da2f62756e505ea8ba036462514c1bf

  • SHA256

    433ec815318e439551d66ddf3c605ba7da5e966b671107b425f73262d39a9c83

  • SHA512

    028854277ad817627f3070f0648bd546b2cc0a5c3ed220b1596725a41c934a9c62eb8f23c6e71619ea0c6c2d625b23c8a2ce03ca4eba016539a2134f4057bc26

  • SSDEEP

    98304:aHVVp2uqi61tX39zbn2cQKXNes4aMrVfmxWuRZxuBKBOBL:aFYzTXNH2c3eKokxlRfC

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkit

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 16 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\09751399.exe
    "C:\Users\Admin\AppData\Local\Temp\09751399.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4516
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5104
    • C:\Users\Admin\AppData\Local\Temp\09751399.exe
      "C:\Users\Admin\AppData\Local\Temp\09751399.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4648
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1748
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4284
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:848
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4984
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2676
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3552
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:1496
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3012
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2824
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4972
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4788
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:3100

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_22bicj1h.nrx.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      59a9a49977aa5c57fc5f573e31d3b0f5

      SHA1

      8fbfcd014741827486cd3ff163eb46f24128d1e5

      SHA256

      b041fe6075435f6733f9a143b71388b81c033122ace3c9b10b6e4c820cf46f4a

      SHA512

      a33c2d88376e36ba194f97c79585b1179b928637662aa0dc45e53bd73c1c00f66e4267fab4fd56fb15a9002b0f44feb9ebb6f69464d2f29ddc6da399533989e7

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      ed6bdcfe1f7ad45e792dffdd73c9c462

      SHA1

      242b53223cbf1cc9d43e061a7f51d72a1a1ba468

      SHA256

      4716686b82ab1b79afefa729c99755ebebda017347273624d64de5a1c5269bf1

      SHA512

      f04ae8e39ebe4503c93d50a3a62610e4a8868b5d1ab574a119e7a987380c6141cd1a591eff7d35cf88df67d99358c6b1692a4053df7a19a2279d0497453d54ab

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      7bd2dc4d09ce7d30b1a02fe485004a21

      SHA1

      db09a40bb374bdf86549e39f06f13f7f997a8723

      SHA256

      059ee1b5770b72c7505f56685413fe6af8f1440cd5b47e22ac022d819d5b5b2e

      SHA512

      f65779ba4333783a975329b5c65570a37cd4c99a4ca3bf1c6d5060819922f40375771b260076dc2baf1b542d8f66fd9fd70a6e7d6424365512f9869f638a827e

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      0c2cf23784c633f033cdaa5169d9ec48

      SHA1

      bb39397bae53bac05282a04caf54c6988b892d98

      SHA256

      a307711d804a6c3363f3bf8327603e59b7a948db994d74b97a39f3ef1ea4d8e4

      SHA512

      e78b85bedf93a8019d87fbc500733474fee4ab60a1821eebd5192c706f37aaa31df4278915ede7a43018c363ba98d03839eb82f98b8fae3ae1857485a0c5dfed

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      cc05b98736b51f53c01a41296de1191a

      SHA1

      221c7cc4ddd0a941cb33ec1eb5730306c3db854c

      SHA256

      ed4b9ff41e14612cfc2bc87fc04d6449051f09d586771243d2c582e87acd276e

      SHA512

      48cad866ce2d979f000f2d0fbd0f66c277ec35a6ecf89fd21017e50cadd883dca1f1d914145a07e16ee79fca6d32f97fe0247885f3c519a91cbf85438de7162d

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      289257051a7e30f837a00b4186b47501

      SHA1

      322971cb7da2f62756e505ea8ba036462514c1bf

      SHA256

      433ec815318e439551d66ddf3c605ba7da5e966b671107b425f73262d39a9c83

      SHA512

      028854277ad817627f3070f0648bd546b2cc0a5c3ed220b1596725a41c934a9c62eb8f23c6e71619ea0c6c2d625b23c8a2ce03ca4eba016539a2134f4057bc26

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      289257051a7e30f837a00b4186b47501

      SHA1

      322971cb7da2f62756e505ea8ba036462514c1bf

      SHA256

      433ec815318e439551d66ddf3c605ba7da5e966b671107b425f73262d39a9c83

      SHA512

      028854277ad817627f3070f0648bd546b2cc0a5c3ed220b1596725a41c934a9c62eb8f23c6e71619ea0c6c2d625b23c8a2ce03ca4eba016539a2134f4057bc26

      Download Submit

    • memory/956-359-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/956-353-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/956-355-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/956-357-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/956-306-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/956-361-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/956-363-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/956-365-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/956-367-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/956-371-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/956-369-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1748-190-0x0000000004A40000-0x0000000004A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1748-189-0x0000000004A40000-0x0000000004A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1748-191-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1748-192-0x0000000070E90000-0x00000000711E4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1748-200-0x0000000004A40000-0x0000000004A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2676-246-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2676-245-0x00000000052E0000-0x00000000052F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2676-244-0x00000000052E0000-0x00000000052F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2676-247-0x0000000070E70000-0x00000000711C4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2676-257-0x00000000052E0000-0x00000000052F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2676-258-0x000000007F770000-0x000000007F780000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2824-308-0x0000000070C10000-0x0000000070C5C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2824-305-0x0000000002C60000-0x0000000002C70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2824-319-0x000000007F720000-0x000000007F730000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2824-309-0x0000000070D90000-0x00000000710E4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2824-304-0x0000000002C60000-0x0000000002C70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2824-307-0x0000000002C60000-0x0000000002C70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3552-291-0x000000007FC60000-0x000000007FC70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3552-281-0x0000000071490000-0x00000000717E4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3552-280-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3552-279-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3552-277-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3552-276-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4516-157-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4516-203-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4516-134-0x0000000002FD0000-0x00000000038BB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4648-231-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4648-264-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4972-334-0x0000000070C10000-0x0000000070C5C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4972-345-0x000000007FCF0000-0x000000007FD00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4972-335-0x00000000713A0000-0x00000000716F4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4972-333-0x0000000004830000-0x0000000004840000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4972-332-0x0000000004830000-0x0000000004840000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4972-331-0x0000000004830000-0x0000000004840000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-221-0x0000000071470000-0x00000000717C4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4984-217-0x0000000004960000-0x0000000004970000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-218-0x0000000004960000-0x0000000004970000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-219-0x0000000004960000-0x0000000004970000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-220-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4984-232-0x000000007FB90000-0x000000007FBA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5104-175-0x0000000007920000-0x000000000793A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5104-155-0x0000000007B30000-0x00000000081AA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/5104-160-0x0000000070E70000-0x00000000711C4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5104-158-0x00000000076A0000-0x00000000076D2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/5104-156-0x00000000074D0000-0x00000000074EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5104-174-0x0000000007820000-0x000000000782E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5104-173-0x000000007F5C0000-0x000000007F5D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5104-172-0x0000000007880000-0x0000000007916000-memory.dmp

      Filesize

      600KB

      Download

    • memory/5104-171-0x00000000077B0000-0x00000000077BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5104-159-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5104-170-0x0000000007660000-0x000000000767E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5104-176-0x0000000007860000-0x0000000007868000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5104-154-0x0000000007230000-0x00000000072A6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/5104-153-0x0000000002C00000-0x0000000002C10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5104-152-0x00000000066B0000-0x00000000066F4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/5104-151-0x0000000006110000-0x000000000612E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5104-146-0x0000000005A10000-0x0000000005A76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5104-140-0x00000000052D0000-0x0000000005336000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5104-139-0x0000000005130000-0x0000000005152000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5104-138-0x0000000002C00000-0x0000000002C10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5104-137-0x0000000002C00000-0x0000000002C10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5104-136-0x0000000005370000-0x0000000005998000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/5104-135-0x0000000002B50000-0x0000000002B86000-memory.dmp

      Filesize

      216KB

      Download