Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28/05/2023, 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f24bb741546d91451260327453939743066d9f7ced343704ea2ea1b893fb4f37.exe

  • Size

    4.2MB

  • MD5

    6145c4a854c7cb096f718fcfed3661b1

  • SHA1

    587ea31107da8e6ff3eb9ff46154148e4a76bb31

  • SHA256

    f24bb741546d91451260327453939743066d9f7ced343704ea2ea1b893fb4f37

  • SHA512

    d6a105a232132bff67b9bfc7d74d7d947fec044d78ab549a07b2e4b423ccbb59f964794a7dc8603f815b91409a15948d5161a5250d338ab38c16f4de5c6f7809

  • SSDEEP

    98304:ewE1QZDOvttQeixPv/OzaV7KVjP9D+85PnLMGOy15oxuUz/hm4OS5I:G02TQeixPHB74j16QzH1ipzJ55I

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojan

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 16 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f24bb741546d91451260327453939743066d9f7ced343704ea2ea1b893fb4f37.exe
    "C:\Users\Admin\AppData\Local\Temp\f24bb741546d91451260327453939743066d9f7ced343704ea2ea1b893fb4f37.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3680
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4392
    • C:\Users\Admin\AppData\Local\Temp\f24bb741546d91451260327453939743066d9f7ced343704ea2ea1b893fb4f37.exe
      "C:\Users\Admin\AppData\Local\Temp\f24bb741546d91451260327453939743066d9f7ced343704ea2ea1b893fb4f37.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1612
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4836
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:5032
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5024
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3936
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1200
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3160
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3340
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3212
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4996
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3744
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3908
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4432

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gfrfttnl.v55.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      cbd955b0e2d1859e6e4785d94182f6d1

      SHA1

      ed6094841f826441baec955a6ea074fa77c1bb0a

      SHA256

      a11dfe7ab634890b6898f2f5d3e4c19a84d56244c3d3ed7a5451ba09df15d6d2

      SHA512

      d977e396e23b25a5f52d5faabe3aa6fad37cb687ac6f6e4dbd7e979e2606c7b9cdd531489baf72cb6b241952ebebc2f1b46fcb4491bdcd270e07a4f6ce709fef

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      7a4a92237caf947c2fb185904e6746b8

      SHA1

      554d5842f882687471ca3568961fc6092176a99d

      SHA256

      0cab9a7ec7ac6980e19c0de8b0a57fffec78cacaaecf10536333cee3c4e1f81b

      SHA512

      8abc920591793d29d1f97ee9265aed01d19877fb4d42c92e346f256d0e9ba820baae4782d87536d517d527cbc3cb38ae09a4dc8f7f527f652efedafd3d210bb1

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      16d686166d0bd08006baf1a45db1a6de

      SHA1

      dc2f42704c2465521221764279ac0b785c2d71ec

      SHA256

      7706b7f3ab61f69e095ca0d03019b1e54f813bb690cdf467ba47faa84112f29a

      SHA512

      d3f2fed7e740afe6cabfcf1d41369a41f3756511193a33594a25c5d7333ef024a6a5ca42a081f059d03e2cc2dfd6547b8d28ac7dacdaaadabaff574f4aacfab6

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      e8934bac5a8059c2c0d05d09aa066c83

      SHA1

      93d798ad0b66643bd6941911dc2d13a05e4cc504

      SHA256

      f0e1c7eabe1a9c16835fc22d66aaccb43cd83ae2a20293a235a6ec63c324cf03

      SHA512

      1b9b75fa0af58f8798bad0a26016bd30e93ed531a2358f7a21b5095b5e04b6371cb132bd10fd822f610a2c60bb9c0357ef595a00cbb6429cbb03b6726234dd14

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      a598cbe518c27777b371cd354b312491

      SHA1

      2c937f7d156c0b1eb42d496e54ece47699954b57

      SHA256

      e89dc169a64a1d5cc23d5e5191dbea84fbedd6be08dabf67824e11131bc7cdfd

      SHA512

      0ce37649aaa2d7b73f5952f61d9a302cf344f7195cfaff8c28f6c9aedaef8d81cc68bde7f8af6e92975020ab8d9b1299c7f6d35da648fca741a5fb95586a3665

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      6145c4a854c7cb096f718fcfed3661b1

      SHA1

      587ea31107da8e6ff3eb9ff46154148e4a76bb31

      SHA256

      f24bb741546d91451260327453939743066d9f7ced343704ea2ea1b893fb4f37

      SHA512

      d6a105a232132bff67b9bfc7d74d7d947fec044d78ab549a07b2e4b423ccbb59f964794a7dc8603f815b91409a15948d5161a5250d338ab38c16f4de5c6f7809

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      6145c4a854c7cb096f718fcfed3661b1

      SHA1

      587ea31107da8e6ff3eb9ff46154148e4a76bb31

      SHA256

      f24bb741546d91451260327453939743066d9f7ced343704ea2ea1b893fb4f37

      SHA512

      d6a105a232132bff67b9bfc7d74d7d947fec044d78ab549a07b2e4b423ccbb59f964794a7dc8603f815b91409a15948d5161a5250d338ab38c16f4de5c6f7809

      Download Submit

    • memory/1200-1890-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1200-1885-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1200-1886-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1200-1887-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1200-1888-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1200-1889-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1200-1891-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1200-1892-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1200-1893-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1200-1455-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1200-1894-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1612-417-0x0000000006C50000-0x0000000006C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1612-514-0x0000000006C50000-0x0000000006C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1612-416-0x0000000007BA0000-0x0000000007EF0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1612-418-0x0000000006C50000-0x0000000006C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1612-419-0x0000000008320000-0x000000000836B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1612-438-0x000000007E8F0000-0x000000007E900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1612-443-0x0000000009540000-0x00000000095E5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/2188-1146-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2188-682-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3160-1178-0x0000000008FF0000-0x0000000009095000-memory.dmp

      Filesize

      660KB

      Download

    • memory/3160-1155-0x0000000008000000-0x000000000804B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3160-1153-0x0000000007510000-0x0000000007860000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3160-1152-0x0000000004600000-0x0000000004610000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3160-1180-0x000000007F340000-0x000000007F350000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3160-1182-0x0000000004600000-0x0000000004610000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3160-1151-0x0000000004600000-0x0000000004610000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3680-412-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3680-271-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3680-118-0x0000000003020000-0x000000000390B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/3744-1641-0x0000000004710000-0x0000000004720000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3744-1642-0x0000000004710000-0x0000000004720000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3744-1669-0x000000007F010000-0x000000007F020000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3744-1672-0x0000000004710000-0x0000000004720000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3744-1640-0x0000000007770000-0x0000000007AC0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3936-905-0x0000000006E40000-0x0000000006E50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3936-945-0x0000000006E40000-0x0000000006E50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3936-943-0x000000007E8C0000-0x000000007E8D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3936-903-0x0000000006E40000-0x0000000006E50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3936-904-0x0000000007B20000-0x0000000007E70000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4392-389-0x00000000073F0000-0x000000000740A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4392-128-0x0000000008270000-0x00000000085C0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4392-121-0x00000000050A0000-0x00000000050D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4392-122-0x0000000005170000-0x0000000005180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4392-123-0x00000000077F0000-0x0000000007E18000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4392-124-0x0000000005170000-0x0000000005180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4392-125-0x00000000076B0000-0x00000000076D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4392-126-0x0000000007E90000-0x0000000007EF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4392-127-0x0000000007F10000-0x0000000007F76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4392-129-0x00000000081E0000-0x00000000081FC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4392-130-0x0000000008210000-0x000000000825B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4392-141-0x0000000008A20000-0x0000000008A96000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4392-394-0x00000000073E0000-0x00000000073E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4392-254-0x000000007E840000-0x000000007E850000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4392-194-0x000000000A6E0000-0x000000000A774000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4392-193-0x000000000A510000-0x000000000A5B5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4392-188-0x000000000A4B0000-0x000000000A4CE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4392-187-0x000000000A4D0000-0x000000000A503000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4392-150-0x0000000008AD0000-0x0000000008B0C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4996-1457-0x0000000006660000-0x0000000006670000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-1454-0x000000007F3F0000-0x000000007F400000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-1422-0x0000000008EB0000-0x0000000008F55000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4996-1411-0x0000000006660000-0x0000000006670000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-1410-0x0000000006660000-0x0000000006670000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-1397-0x0000000007910000-0x000000000795B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4996-1395-0x00000000072D0000-0x0000000007620000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5024-662-0x0000000007150000-0x0000000007160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5024-743-0x0000000007150000-0x0000000007160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5024-663-0x0000000007150000-0x0000000007160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5024-684-0x000000007E0A0000-0x000000007E0B0000-memory.dmp

      Filesize

      64KB

      Download