Analysis
-
max time kernel
81s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
01-06-2023 14:51
General
-
Target
02543899.exe
-
Size
4.1MB
-
MD5
35ddff2a7ed41e5df705d61486c280ea
-
SHA1
b03f9bf219aaf9c8ce739d13a53dee1e5b05bd15
-
SHA256
1eda92d1eba2e41025c4eff11890cfa56d570f5c1319603759320e774f85b1cb
-
SHA512
3028d30dda0810968531bfe96760eb2f053eb0e713b4b152b3a7418ecb9ea7e189a6d43330d4e7ca97f4ce89b0455e2640c1f86e25dc9ddf5ef8c9c83b3b7d4a
-
SSDEEP
98304:uBH86PGrtUmo7vlrmO488JWvob44Zv6o1tr:oH3PGxfo7pi88JWA9V6mB
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 9 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\02543899.exe"C:\Users\Admin\AppData\Local\Temp\02543899.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\02543899.exe"C:\Users\Admin\AppData\Local\Temp\02543899.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 6602⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5060 -ip 50601⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
19KB
MD5100aec8345c7172dbc592dee3d826dd7
SHA1317fb145e741422dd820a480fa0d79ad8f75d0bc
SHA256db83a0548d0679ecffd88c20b5f964053fd96d03cbcc1bcbefa473131f96a988
SHA51264d459540b4ae31886e776f7de0e93dba2c4fb2eff8b46961479342c75ee60ece8197d7777ef31f48217fbc7ddc8502cf6d6cc3a7ec34748ee738cd29927995e
-
Filesize
19KB
MD5a497db76dd3e79e47d7d1f860fac4f3a
SHA10f6c0767270efc554b8c424279cf679f4ed127b2
SHA2568ee50226aec6d6d0830f647330ba4601d923f26cc1cd53f8d7afc480cee4d859
SHA512c800de2fb8c69575800ff2fb423f21b6430616812bc5db8a2965e182bb6f18157da918566ba9a78b916720c88524dfbc175d464f712aae46eb7a5b5d1b2f12d5
-
Filesize
19KB
MD5d80654133ae133b9ee509a4289c4da7a
SHA15469074c7a210cc4a39e49e39012b9ab90789f1c
SHA2561fe98f6a5d38b3416a8bb0d5ceaa12034a290b6209b526debef7d2986832c09d
SHA512850ae34bfaf0218903ac26fda8713776bec04aaf160092422b10f33fc0e7d9ac079d18d0e5af66f93da01d11df5a6522abba2b3d6d347148e9ea060499c33e47
-
Filesize
19KB
MD5507126b639aa80f03d440da6026ef1b3
SHA1118398fd60503ba85ad320bd0ef776a5e7d4621e
SHA256acc3d96af3964273e4c04ee23c462481123413bcbeab03c6296f2a4e4a91eead
SHA5121d773b005dee3765cadb7eb7d4a88132fcd48f2417aabad4da5194d341657688852e6fa4a453f6fd19b45b02e3ffa7ee8b278d832db6f9218d204eda781fb259
-
Filesize
19KB
MD53acfff9cde16da370553227f7123de6d
SHA1409e2e306a7e5220c1d619840f69742d72ce102d
SHA2560b602d09108ec0ee0caa5945c08ac4961b37bdc95103e634a92c57b9f4376669
SHA5120bc7f8d757404d90759b6b3704c819f2d22de0f6cdefda70882f279106347bf4bbf14d3aaa85481d643a1831b65e721575a15f32c14917293871d90c5d670433
-
Filesize
4.1MB
MD535ddff2a7ed41e5df705d61486c280ea
SHA1b03f9bf219aaf9c8ce739d13a53dee1e5b05bd15
SHA2561eda92d1eba2e41025c4eff11890cfa56d570f5c1319603759320e774f85b1cb
SHA5123028d30dda0810968531bfe96760eb2f053eb0e713b4b152b3a7418ecb9ea7e189a6d43330d4e7ca97f4ce89b0455e2640c1f86e25dc9ddf5ef8c9c83b3b7d4a
-
Filesize
4.1MB
MD535ddff2a7ed41e5df705d61486c280ea
SHA1b03f9bf219aaf9c8ce739d13a53dee1e5b05bd15
SHA2561eda92d1eba2e41025c4eff11890cfa56d570f5c1319603759320e774f85b1cb
SHA5123028d30dda0810968531bfe96760eb2f053eb0e713b4b152b3a7418ecb9ea7e189a6d43330d4e7ca97f4ce89b0455e2640c1f86e25dc9ddf5ef8c9c83b3b7d4a
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
272KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
8.9MB