Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2023, 07:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22212563c82d627560b8a141299031992fde210f22c6be2471d3497bf8cff13b.exe

  • Size

    4.2MB

  • MD5

    44b7636d61531c114417405f90268a45

  • SHA1

    8d3c2ff47c4e8ab61da308cfe5bd3867949a9879

  • SHA256

    22212563c82d627560b8a141299031992fde210f22c6be2471d3497bf8cff13b

  • SHA512

    f2cca4082a013a26ccf344dba35e29015d19c4c76898a0bd898d1fab86dbc78f324ac7895a6a1a047cdd9a4ea5b0905c9df1a2a47a218a1cd950475af47f4695

  • SSDEEP

    98304:wmpX8O9HedpDBHdWTegeTnadviKpY0fMqD+731uK:TFHGpNjTadv4cIwK

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkit

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 17 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\22212563c82d627560b8a141299031992fde210f22c6be2471d3497bf8cff13b.exe
    "C:\Users\Admin\AppData\Local\Temp\22212563c82d627560b8a141299031992fde210f22c6be2471d3497bf8cff13b.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1392
    • C:\Users\Admin\AppData\Local\Temp\22212563c82d627560b8a141299031992fde210f22c6be2471d3497bf8cff13b.exe
      "C:\Users\Admin\AppData\Local\Temp\22212563c82d627560b8a141299031992fde210f22c6be2471d3497bf8cff13b.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3832
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3524
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1604
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1476
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:876
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:4592
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4048
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4532
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3304
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:2580

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ieoqcozm.zj4.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      3d086a433708053f9bf9523e1d87a4e8

      SHA1

      b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

      SHA256

      6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

      SHA512

      931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      aeb868425402f8e710bf3dba4414772f

      SHA1

      a8a75c5eb6c52d3f03860985caee525758e6e1ac

      SHA256

      fafc0021ecdceab3130dad84757c5f0d1548f708eb16c742a697484dbf078256

      SHA512

      773c64ef0dbb9317b251cfc81f6b109c879e33cedd16572ccad951783220d2951e168291bf4d4509bab68f2f4f16384f079a576fe4da8af9c157dcdb57f57e45

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      f759f49f95d6fa14f8d447fbf3c63630

      SHA1

      979c104048e1f493db627782860f772076db898f

      SHA256

      b828da52bbbd14c03bdda34256bb3de798f65c21d8d631e88fdfb97bc01d9d71

      SHA512

      c1be0a8a6e23c5a69133d5e0a5f091bb9c6d1268a3494f719b2ba5c6d902cddadcd174042025121f78c26ec92798eb647fe9de3f0a5864c04b955315c0db74db

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      4de76c60a4698554d69320eba49d0c42

      SHA1

      c3b685fa2233733fcf799ae887115fa02aa69e72

      SHA256

      6a5fedb02999e0715cf8d976a3dd19d1f7bc1e9fdaba2288bb0b9232e291eee5

      SHA512

      bb764f3f09338d891575f993dd4224031f03e8eb5448bf8f533de058fdeaa5ac45b1a0a28f50ce6206e9ee5c4265d7b62bbb37e0c839244b714601c4e5d52d27

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      694c25bab584b37b014e497b0a5ecc15

      SHA1

      14ce50d4ac56e8351b2d4160534c555fb28b0fb8

      SHA256

      03ca897ce774889eef4105d8792043df7b352c13d327deabf2a6170fc50624b3

      SHA512

      18be1c1d802a286e52af30723cce498020aa45665ce8c51402779ece0d6672a51d540da1a85949b9dd21f6709fd813be50ed82c7c932cbaec40fda91c3ad2c8c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      9b6460c803cb3b0584c78c913c70ac37

      SHA1

      a9976ce32267ee1b51b4dd0d6d0e3c6157a71f7c

      SHA256

      81761e95aa64d9b583e82b66076fb4e312279ffa5f8eccb6ff5b88444e67d52c

      SHA512

      a921d58d9c15e64e48f34de4c9ec6f39e6126f36319fc920eae657483eff52b50730ab09ebed92cf3264f222a18e47925fc25efed5f23e44f8de63762d9295fb

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      44b7636d61531c114417405f90268a45

      SHA1

      8d3c2ff47c4e8ab61da308cfe5bd3867949a9879

      SHA256

      22212563c82d627560b8a141299031992fde210f22c6be2471d3497bf8cff13b

      SHA512

      f2cca4082a013a26ccf344dba35e29015d19c4c76898a0bd898d1fab86dbc78f324ac7895a6a1a047cdd9a4ea5b0905c9df1a2a47a218a1cd950475af47f4695

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      44b7636d61531c114417405f90268a45

      SHA1

      8d3c2ff47c4e8ab61da308cfe5bd3867949a9879

      SHA256

      22212563c82d627560b8a141299031992fde210f22c6be2471d3497bf8cff13b

      SHA512

      f2cca4082a013a26ccf344dba35e29015d19c4c76898a0bd898d1fab86dbc78f324ac7895a6a1a047cdd9a4ea5b0905c9df1a2a47a218a1cd950475af47f4695

      Download Submit

    • memory/1392-151-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1392-175-0x00000000072C0000-0x00000000072DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1392-155-0x0000000006E80000-0x0000000006E9A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1392-156-0x00000000044D0000-0x00000000044E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1392-157-0x0000000007040000-0x0000000007072000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1392-158-0x00000000702F0000-0x000000007033C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1392-159-0x0000000070470000-0x00000000707C4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1392-169-0x0000000007020000-0x000000000703E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1392-170-0x0000000007160000-0x000000000716A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1392-153-0x0000000006DE0000-0x0000000006E56000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1392-172-0x000000007F450000-0x000000007F460000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1392-173-0x0000000007220000-0x00000000072B6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1392-174-0x00000000071C0000-0x00000000071CE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1392-154-0x00000000074E0000-0x0000000007B5A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1392-176-0x0000000007200000-0x0000000007208000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1392-152-0x0000000006C30000-0x0000000006C74000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1392-143-0x00000000054A0000-0x0000000005506000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1392-140-0x00000000053C0000-0x0000000005426000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1392-135-0x0000000004520000-0x0000000004556000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1392-136-0x0000000004B90000-0x00000000051B8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1392-137-0x00000000044D0000-0x00000000044E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1392-138-0x00000000044D0000-0x00000000044E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1392-139-0x0000000005220000-0x0000000005242000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1476-279-0x0000000002600000-0x0000000002610000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1476-281-0x00000000702F0000-0x000000007033C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1476-268-0x0000000002600000-0x0000000002610000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1476-280-0x000000007FA00000-0x000000007FA10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1476-282-0x0000000070A70000-0x0000000070DC4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1604-245-0x0000000004DF0000-0x0000000004E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1604-246-0x0000000004DF0000-0x0000000004E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1604-248-0x0000000070A70000-0x0000000070DC4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1604-247-0x00000000702F0000-0x000000007033C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1604-258-0x0000000004DF0000-0x0000000004E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1604-259-0x000000007FB80000-0x000000007FB90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2700-190-0x0000000002B40000-0x0000000002B50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2700-189-0x0000000002B40000-0x0000000002B50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2700-191-0x0000000002B40000-0x0000000002B50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2700-192-0x00000000702F0000-0x000000007033C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2700-193-0x0000000070A70000-0x0000000070DC4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2700-203-0x000000007F6A0000-0x000000007F6B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2996-365-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2996-355-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2996-351-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2996-353-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2996-367-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2996-318-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2996-369-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2996-371-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2996-363-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2996-361-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2996-359-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2996-357-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3524-232-0x0000000005520000-0x0000000005530000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3524-219-0x0000000005520000-0x0000000005530000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3524-221-0x0000000070A70000-0x0000000070DC4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3524-233-0x000000007F830000-0x000000007F840000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3524-220-0x00000000702F0000-0x000000007033C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3524-218-0x0000000005520000-0x0000000005530000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-306-0x0000000070390000-0x00000000706E4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4048-304-0x0000000003170000-0x0000000003180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-303-0x0000000003170000-0x0000000003180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-305-0x0000000070210000-0x000000007025C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4048-316-0x0000000003170000-0x0000000003180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-317-0x000000007F5B0000-0x000000007F5C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4532-332-0x0000000004550000-0x0000000004560000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4532-331-0x0000000004550000-0x0000000004560000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4532-333-0x0000000070210000-0x000000007025C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4532-334-0x00000000709A0000-0x0000000070CF4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4532-344-0x000000007FCF0000-0x000000007FD00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4908-264-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4908-231-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/5064-171-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/5064-206-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/5064-134-0x0000000002FD0000-0x00000000038BB000-memory.dmp

      Filesize

      8.9MB

      Download