Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06-06-2023 15:33
General
-
Target
01844399.exe
-
Size
4.2MB
-
MD5
04d549da1bedf0d9ebc9ed612d708271
-
SHA1
903d3947e7dfc3626a0c44ff2d7f8ba4580a64eb
-
SHA256
aab005395eff23305f1115eb28fd1e445869207439c9cb9fd47fd1493321ba76
-
SHA512
49187d9c2ddd0f9c720cf5a0b6ee7d73d4ba3d753e304ce254484fb8b1a965bf1c24529783ed0968312482670bef7acc77d8b6a09e5379c2f2bc86f846aa5b7c
-
SSDEEP
98304:iwPHzJGsSBKd2SXXNMk8lMY/ndSjzYudYViNA+e4p:i+TDj6tfAjsuTVeo
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 17 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\01844399.exe"C:\Users\Admin\AppData\Local\Temp\01844399.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\01844399.exe"C:\Users\Admin\AppData\Local\Temp\01844399.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sbbudjfz.n0q.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5cbad78763b06476144f6a6116ec4fed4
SHA1e1475a68e74e26311812e05f7b0920fc4b3fc3d9
SHA25646d9355803568ca5ac9803e4b199a65dec5461a09d13e4a8674c6818737b8a2a
SHA5121623bd5276a73e99aba0dd5f68b9c543e4feece6cb7c32a37113cb983c9683f6c189358da403a8f7354b763c3b7b4ca5c609aae8ebd5ba4024cb6a4f129e9418
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5e89feba54e6010a7c525411f5769d5f1
SHA1f4b4d29810e057cabdb87096689c14a70b1043b7
SHA2563aa16afb9c3233b836608777073a7bbb121a958853c4012e50b03c1188c56f8f
SHA51242584a7518acc6fa1e8d22fab6aa15685e5f77068ca695a7798cecd1265b35ac7acbaa8677ffa8a25214a3693ada51e57fdaf483a73d63bfdc27d865dd539bc2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5f7f871379f281b2d2a85e431a7291455
SHA1e10c65d4e323050efc5c4cc060dfc9eec883d87a
SHA2563a316fcf2b90b72c4baeed75589f701f24daf8ec857080d7e582441f24c695db
SHA5125cb408e4233d8dc43725b38839688670febb4e281ec7323e257c5c13ac7366515ede0f50248824bb403bab9ec4ee09c7d98d23cae987dd85210c4ca902d30a9d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5911c8b079c6ca740e780329e8d259086
SHA15710dfcd820e8586be2e617b92f59cb040b7f9ad
SHA256bb7ac7517abeaf3bbf5fbe9662fea6624fad814c2192c8921b5350ffb0c7c286
SHA512ddc7bad412ce2fa8dcb957bed8568dad9de99d1888f03c602de0f56809230abefa9b2bdd7ccc34600160666e44fbb5f7bc1b99d6823f1e1649aecadbb60e55c8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5a31c4b9d6507e850452a33fb9dc08afa
SHA1f9c8d1f4af66616b1b313e4da9d8a0d07740de66
SHA2569a406fe7ab13f195bd4f51e87ba104ff4f61682920bb9d02d64102903c87bd11
SHA512dd69efe7130a4656a5ab384877012a16fb4deafc808398e21ee3270f0c398e2bb50c9b854c1b252895010000be6fe436dea4004f461487e10753e79c15358b9a
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD504d549da1bedf0d9ebc9ed612d708271
SHA1903d3947e7dfc3626a0c44ff2d7f8ba4580a64eb
SHA256aab005395eff23305f1115eb28fd1e445869207439c9cb9fd47fd1493321ba76
SHA51249187d9c2ddd0f9c720cf5a0b6ee7d73d4ba3d753e304ce254484fb8b1a965bf1c24529783ed0968312482670bef7acc77d8b6a09e5379c2f2bc86f846aa5b7c
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD504d549da1bedf0d9ebc9ed612d708271
SHA1903d3947e7dfc3626a0c44ff2d7f8ba4580a64eb
SHA256aab005395eff23305f1115eb28fd1e445869207439c9cb9fd47fd1493321ba76
SHA51249187d9c2ddd0f9c720cf5a0b6ee7d73d4ba3d753e304ce254484fb8b1a965bf1c24529783ed0968312482670bef7acc77d8b6a09e5379c2f2bc86f846aa5b7c
-
memory/1404-223-0x0000000004C70000-0x0000000004C80000-memory.dmpFilesize
64KB
-
memory/1404-224-0x0000000004C70000-0x0000000004C80000-memory.dmpFilesize
64KB
-
memory/1404-225-0x0000000004C70000-0x0000000004C80000-memory.dmpFilesize
64KB
-
memory/1404-226-0x00000000706E0000-0x000000007072C000-memory.dmpFilesize
304KB
-
memory/1404-227-0x0000000070E60000-0x00000000711B4000-memory.dmpFilesize
3.3MB
-
memory/1404-237-0x000000007FA90000-0x000000007FAA0000-memory.dmpFilesize
64KB
-
memory/2272-282-0x00000000050A0000-0x00000000050B0000-memory.dmpFilesize
64KB
-
memory/2272-285-0x0000000070E60000-0x00000000711B4000-memory.dmpFilesize
3.3MB
-
memory/2272-287-0x000000007F680000-0x000000007F690000-memory.dmpFilesize
64KB
-
memory/2272-283-0x00000000050A0000-0x00000000050B0000-memory.dmpFilesize
64KB
-
memory/2272-284-0x00000000706E0000-0x000000007072C000-memory.dmpFilesize
304KB
-
memory/2272-286-0x00000000050A0000-0x00000000050B0000-memory.dmpFilesize
64KB
-
memory/2704-263-0x000000007F260000-0x000000007F270000-memory.dmpFilesize
64KB
-
memory/2704-252-0x0000000070E60000-0x00000000711B4000-memory.dmpFilesize
3.3MB
-
memory/2704-251-0x00000000706E0000-0x000000007072C000-memory.dmpFilesize
304KB
-
memory/2704-250-0x0000000004F00000-0x0000000004F10000-memory.dmpFilesize
64KB
-
memory/2704-249-0x0000000004F00000-0x0000000004F10000-memory.dmpFilesize
64KB
-
memory/2704-262-0x0000000004F00000-0x0000000004F10000-memory.dmpFilesize
64KB
-
memory/2792-338-0x00000000032E0000-0x00000000032F0000-memory.dmpFilesize
64KB
-
memory/2792-326-0x00000000032E0000-0x00000000032F0000-memory.dmpFilesize
64KB
-
memory/2792-327-0x00000000032E0000-0x00000000032F0000-memory.dmpFilesize
64KB
-
memory/2792-339-0x0000000070600000-0x000000007064C000-memory.dmpFilesize
304KB
-
memory/2792-340-0x0000000070D90000-0x00000000710E4000-memory.dmpFilesize
3.3MB
-
memory/2792-350-0x000000007F4E0000-0x000000007F4F0000-memory.dmpFilesize
64KB
-
memory/3408-269-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/3408-221-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/3700-173-0x0000000007ED0000-0x0000000007EDA000-memory.dmpFilesize
40KB
-
memory/3700-139-0x0000000005840000-0x0000000005862000-memory.dmpFilesize
136KB
-
memory/3700-135-0x0000000003230000-0x0000000003266000-memory.dmpFilesize
216KB
-
memory/3700-136-0x0000000005910000-0x0000000005F38000-memory.dmpFilesize
6.2MB
-
memory/3700-137-0x0000000003220000-0x0000000003230000-memory.dmpFilesize
64KB
-
memory/3700-138-0x0000000003220000-0x0000000003230000-memory.dmpFilesize
64KB
-
memory/3700-140-0x0000000005F40000-0x0000000005FA6000-memory.dmpFilesize
408KB
-
memory/3700-141-0x00000000061A0000-0x0000000006206000-memory.dmpFilesize
408KB
-
memory/3700-179-0x0000000003220000-0x0000000003230000-memory.dmpFilesize
64KB
-
memory/3700-178-0x0000000003220000-0x0000000003230000-memory.dmpFilesize
64KB
-
memory/3700-177-0x0000000007F70000-0x0000000007F78000-memory.dmpFilesize
32KB
-
memory/3700-176-0x0000000008030000-0x000000000804A000-memory.dmpFilesize
104KB
-
memory/3700-175-0x0000000007F30000-0x0000000007F3E000-memory.dmpFilesize
56KB
-
memory/3700-174-0x0000000007F90000-0x0000000008026000-memory.dmpFilesize
600KB
-
memory/3700-151-0x0000000006820000-0x000000000683E000-memory.dmpFilesize
120KB
-
memory/3700-172-0x0000000005560000-0x000000000557E000-memory.dmpFilesize
120KB
-
memory/3700-162-0x0000000070860000-0x0000000070BB4000-memory.dmpFilesize
3.3MB
-
memory/3700-161-0x00000000706E0000-0x000000007072C000-memory.dmpFilesize
304KB
-
memory/3700-160-0x0000000007DA0000-0x0000000007DD2000-memory.dmpFilesize
200KB
-
memory/3700-159-0x000000007FB50000-0x000000007FB60000-memory.dmpFilesize
64KB
-
memory/3700-152-0x0000000006DC0000-0x0000000006E04000-memory.dmpFilesize
272KB
-
memory/3700-153-0x0000000003220000-0x0000000003230000-memory.dmpFilesize
64KB
-
memory/3700-156-0x0000000007BE0000-0x0000000007BFA000-memory.dmpFilesize
104KB
-
memory/3700-155-0x0000000008260000-0x00000000088DA000-memory.dmpFilesize
6.5MB
-
memory/3700-154-0x0000000007930000-0x00000000079A6000-memory.dmpFilesize
472KB
-
memory/4048-193-0x0000000004770000-0x0000000004780000-memory.dmpFilesize
64KB
-
memory/4048-197-0x0000000070E60000-0x00000000711B4000-memory.dmpFilesize
3.3MB
-
memory/4048-196-0x00000000706E0000-0x000000007072C000-memory.dmpFilesize
304KB
-
memory/4048-195-0x0000000004770000-0x0000000004780000-memory.dmpFilesize
64KB
-
memory/4048-194-0x0000000004770000-0x0000000004780000-memory.dmpFilesize
64KB
-
memory/4048-207-0x000000007F590000-0x000000007F5A0000-memory.dmpFilesize
64KB
-
memory/4236-314-0x0000000070DB0000-0x0000000071104000-memory.dmpFilesize
3.3MB
-
memory/4236-307-0x0000000002CF0000-0x0000000002D00000-memory.dmpFilesize
64KB
-
memory/4236-311-0x0000000002CF0000-0x0000000002D00000-memory.dmpFilesize
64KB
-
memory/4236-312-0x000000007FCF0000-0x000000007FD00000-memory.dmpFilesize
64KB
-
memory/4236-313-0x0000000070600000-0x000000007064C000-memory.dmpFilesize
304KB
-
memory/4236-308-0x0000000002CF0000-0x0000000002D00000-memory.dmpFilesize
64KB
-
memory/4496-157-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4496-134-0x0000000005280000-0x0000000005B6B000-memory.dmpFilesize
8.9MB
-
memory/4496-158-0x0000000005280000-0x0000000005B6B000-memory.dmpFilesize
8.9MB
-
memory/4496-183-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4520-363-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4520-310-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4520-353-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4520-365-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4520-367-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4520-369-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4520-371-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4520-373-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4520-375-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4520-377-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4520-379-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB