Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
06-06-2023 20:04
General
-
Target
0ac980a4d07f5c606acf9c994cfb86e03ed161b2e48ac51363b464859745ee40.exe
-
Size
4.2MB
-
MD5
1df9b6370344f8152cf661cfef5b33cc
-
SHA1
9182d37faafab0eda848d2141f6780a283d8f6f2
-
SHA256
0ac980a4d07f5c606acf9c994cfb86e03ed161b2e48ac51363b464859745ee40
-
SHA512
dbf4640af9b3048e0fba1ae89a4dac511f842be739b05f1e6ac7465107a0d0a3577ea166ee31f84e3bf42402b46ef865d40b7a44ad6ab3850e3c91e1ad93e233
-
SSDEEP
98304:WUo9FY7WfUngDNq1VwUR/NPDfiCH7lCBzt8qm:7gy7Wf4ZXwUFNrqw4pt8V
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 18 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ac980a4d07f5c606acf9c994cfb86e03ed161b2e48ac51363b464859745ee40.exe"C:\Users\Admin\AppData\Local\Temp\0ac980a4d07f5c606acf9c994cfb86e03ed161b2e48ac51363b464859745ee40.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\0ac980a4d07f5c606acf9c994cfb86e03ed161b2e48ac51363b464859745ee40.exe"C:\Users\Admin\AppData\Local\Temp\0ac980a4d07f5c606acf9c994cfb86e03ed161b2e48ac51363b464859745ee40.exe"2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qanulsyp.ja0.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD557e6ceb3111c3a36331d01702bf1b041
SHA1950de7244134786e020524d52bd87bc1f90dacbc
SHA256da63843e2f6982cb5040b17132b5598cc5a1dbdb6b30a3bb74e349bff074c9ac
SHA512cb361375dbffde599a8d1a5c059bd412f0aab170419d1ab17f8d4d777e0de69db10b44b445b521ad0f1c07c94b479e6c8d5292938694069bbf1dd37648a1a3c7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5b24856bfb01ad017add518c8ffb792ce
SHA1a5a4e95338f123db581213e28eb044b2754e106a
SHA256e9bbc6346fb2021c6c33dd9674b290bcd91daa7d9d5edf8f661b9c1536c9ab08
SHA51247541a1d260ca88e91ff66de69d8fc4502c4e43905a0de972b46cb87b82892037accb7e191ac384b10c5e3aa1f650103980dc28bebe7e7b6cf19f10ab1b8a37e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD51124490635e48b75e7226bbdcf087127
SHA1858e1335866d208ad1cfd74843b24bcfb4e4907d
SHA256538cbab69da5c5215666a4fdbe9ff8ac9d3d1d613a92787732351364f0625e3b
SHA51262e4a7e33d5432b415c5b4d90fe48fb825bd0b78efb743e03d89c13907f01183ce786e2b5f4f6ba7c022051a9eedd50ab8c79ffc232a3ad121074c2e2747b8ba
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD56a9c94aa8eaa669ebc801308ee1be397
SHA10857d6644dc1ee546cf6ea9fcac640c8a8880fa0
SHA256cc357a5bce11e4cc18bb2ea7eb3eebdb182813fe0fd234a7bc214ad4d8245e15
SHA51294e2dc970cf8a4f62363ef0e7b03811b63345ed5458d88d5a2ca54e4a4b0fa62819b745b35ca1c4742486f072ba92fb90f17f931dcbedd8917cb868642fd1988
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD512b4f2329bd271770db2e6654c9277ec
SHA19475c618faaf6873470fa8eae978f936ab3d2edc
SHA2568279185fb9656066971b7d33c96022d97a0bc71ba2747890d703b291168aa28c
SHA512fa0f8470537e1ce9208c71aad0e94b7b9e2cdf51c3db4a5d407f07c7f4035233f8e45665f0f40d0c86ef89ea531e99f8276bfaaf4a96ad50c57667c3f3a6dcd1
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD51df9b6370344f8152cf661cfef5b33cc
SHA19182d37faafab0eda848d2141f6780a283d8f6f2
SHA2560ac980a4d07f5c606acf9c994cfb86e03ed161b2e48ac51363b464859745ee40
SHA512dbf4640af9b3048e0fba1ae89a4dac511f842be739b05f1e6ac7465107a0d0a3577ea166ee31f84e3bf42402b46ef865d40b7a44ad6ab3850e3c91e1ad93e233
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD51df9b6370344f8152cf661cfef5b33cc
SHA19182d37faafab0eda848d2141f6780a283d8f6f2
SHA2560ac980a4d07f5c606acf9c994cfb86e03ed161b2e48ac51363b464859745ee40
SHA512dbf4640af9b3048e0fba1ae89a4dac511f842be739b05f1e6ac7465107a0d0a3577ea166ee31f84e3bf42402b46ef865d40b7a44ad6ab3850e3c91e1ad93e233
-
memory/216-766-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/216-595-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/216-1150-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/216-419-0x0000000005170000-0x0000000005A5B000-memory.dmpFilesize
8.9MB
-
memory/216-1154-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/1996-1187-0x0000000009010000-0x00000000090B5000-memory.dmpFilesize
660KB
-
memory/1996-1159-0x0000000007460000-0x00000000077B0000-memory.dmpFilesize
3.3MB
-
memory/1996-1161-0x0000000007B10000-0x0000000007B5B000-memory.dmpFilesize
300KB
-
memory/1996-1162-0x00000000067F0000-0x0000000006800000-memory.dmpFilesize
64KB
-
memory/1996-1163-0x00000000067F0000-0x0000000006800000-memory.dmpFilesize
64KB
-
memory/1996-1205-0x00000000067F0000-0x0000000006800000-memory.dmpFilesize
64KB
-
memory/2128-1403-0x0000000006850000-0x0000000006860000-memory.dmpFilesize
64KB
-
memory/2128-1404-0x00000000075C0000-0x0000000007910000-memory.dmpFilesize
3.3MB
-
memory/2128-1406-0x00000000079B0000-0x00000000079FB000-memory.dmpFilesize
300KB
-
memory/2128-1425-0x000000007F890000-0x000000007F8A0000-memory.dmpFilesize
64KB
-
memory/2128-1430-0x0000000008F10000-0x0000000008FB5000-memory.dmpFilesize
660KB
-
memory/2472-200-0x0000000006690000-0x00000000066A0000-memory.dmpFilesize
64KB
-
memory/2472-192-0x0000000009A20000-0x0000000009A3E000-memory.dmpFilesize
120KB
-
memory/2472-132-0x0000000007AB0000-0x0000000007ACC000-memory.dmpFilesize
112KB
-
memory/2472-133-0x0000000007FF0000-0x000000000803B000-memory.dmpFilesize
300KB
-
memory/2472-152-0x0000000007F20000-0x0000000007F5C000-memory.dmpFilesize
240KB
-
memory/2472-130-0x0000000007640000-0x00000000076A6000-memory.dmpFilesize
408KB
-
memory/2472-129-0x00000000073F0000-0x0000000007456000-memory.dmpFilesize
408KB
-
memory/2472-184-0x0000000008CB0000-0x0000000008D26000-memory.dmpFilesize
472KB
-
memory/2472-191-0x0000000009A40000-0x0000000009A73000-memory.dmpFilesize
204KB
-
memory/2472-131-0x00000000076B0000-0x0000000007A00000-memory.dmpFilesize
3.3MB
-
memory/2472-197-0x0000000009A80000-0x0000000009B25000-memory.dmpFilesize
660KB
-
memory/2472-198-0x0000000009C50000-0x0000000009CE4000-memory.dmpFilesize
592KB
-
memory/2472-199-0x000000007EFA0000-0x000000007EFB0000-memory.dmpFilesize
64KB
-
memory/2472-125-0x0000000006630000-0x0000000006666000-memory.dmpFilesize
216KB
-
memory/2472-126-0x0000000006690000-0x00000000066A0000-memory.dmpFilesize
64KB
-
memory/2472-128-0x0000000007350000-0x0000000007372000-memory.dmpFilesize
136KB
-
memory/2472-393-0x0000000007FA0000-0x0000000007FBA000-memory.dmpFilesize
104KB
-
memory/2472-127-0x0000000006CD0000-0x00000000072F8000-memory.dmpFilesize
6.2MB
-
memory/2472-398-0x0000000007F90000-0x0000000007F98000-memory.dmpFilesize
32KB
-
memory/2488-670-0x0000000004390000-0x00000000043A0000-memory.dmpFilesize
64KB
-
memory/2488-668-0x0000000007480000-0x00000000077D0000-memory.dmpFilesize
3.3MB
-
memory/2488-671-0x0000000004390000-0x00000000043A0000-memory.dmpFilesize
64KB
-
memory/2488-763-0x0000000004390000-0x00000000043A0000-memory.dmpFilesize
64KB
-
memory/2488-694-0x000000007EEF0000-0x000000007EF00000-memory.dmpFilesize
64KB
-
memory/4020-1678-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/4020-1675-0x000000007E510000-0x000000007E520000-memory.dmpFilesize
64KB
-
memory/4320-425-0x0000000008A00000-0x0000000008A4B000-memory.dmpFilesize
300KB
-
memory/4320-424-0x00000000072D0000-0x00000000072E0000-memory.dmpFilesize
64KB
-
memory/4320-423-0x00000000072D0000-0x00000000072E0000-memory.dmpFilesize
64KB
-
memory/4320-422-0x0000000007FB0000-0x0000000008300000-memory.dmpFilesize
3.3MB
-
memory/4320-518-0x00000000072D0000-0x00000000072E0000-memory.dmpFilesize
64KB
-
memory/4320-449-0x0000000009A30000-0x0000000009AD5000-memory.dmpFilesize
660KB
-
memory/4320-444-0x000000007EF80000-0x000000007EF90000-memory.dmpFilesize
64KB
-
memory/4812-1499-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4812-1889-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4812-1178-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4812-1894-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4812-1893-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4812-1892-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4812-1891-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4812-1890-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4812-1875-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/4876-939-0x000000007E4B0000-0x000000007E4C0000-memory.dmpFilesize
64KB
-
memory/4876-911-0x00000000004F0000-0x0000000000500000-memory.dmpFilesize
64KB
-
memory/4876-912-0x00000000004F0000-0x0000000000500000-memory.dmpFilesize
64KB
-
memory/4876-941-0x00000000004F0000-0x0000000000500000-memory.dmpFilesize
64KB
-
memory/5044-417-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/5044-415-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/5044-164-0x0000000000400000-0x00000000030D0000-memory.dmpFilesize
44.8MB
-
memory/5044-122-0x0000000005240000-0x0000000005B2B000-memory.dmpFilesize
8.9MB