Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    41s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2023 10:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48200d67cc15595516b01ae0c0486302a9eef979ae3c5be2e825b687053b11a0.exe

  • Size

    4.2MB

  • MD5

    c7ce23e7e7ce6b26feba88deaaa21ab4

  • SHA1

    f848e9382b9b2a3c6077108ef683a3d492e7339f

  • SHA256

    48200d67cc15595516b01ae0c0486302a9eef979ae3c5be2e825b687053b11a0

  • SHA512

    5e799680478a5fbae9583045926947f436abd26481ff3b15adfe91c4db497e42750a9bb33bc6096e608da4a182713ef3da278bcd0158eaee06026f2ef2c9bf48

  • SSDEEP

    98304:nxwPu98IQXpACiy6CclaxsM3CJSQ1+gsp/1AQGn9jO:xwPu98IQXaCBwa/CJH+gsdOF9y

Score
10/10
gluptebadropperevasionloaderpersistence

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 5 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48200d67cc15595516b01ae0c0486302a9eef979ae3c5be2e825b687053b11a0.exe
    "C:\Users\Admin\AppData\Local\Temp\48200d67cc15595516b01ae0c0486302a9eef979ae3c5be2e825b687053b11a0.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3308
    • C:\Users\Admin\AppData\Local\Temp\48200d67cc15595516b01ae0c0486302a9eef979ae3c5be2e825b687053b11a0.exe
      "C:\Users\Admin\AppData\Local\Temp\48200d67cc15595516b01ae0c0486302a9eef979ae3c5be2e825b687053b11a0.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4340
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4164
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:4112
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4588
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2924
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yh5vtrs3.arb.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit
  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    19KB

    MD5

    da2545a9a517ae9ee5391ad93ad8ed76

    SHA1

    5b2fa84a8cd635662e72d5d8955087c4e2561564

    SHA256

    e7cbd14563407fb6718c346496365940bb614f85d5990315f412aad2db4abe07

    SHA512

    de680f995a4b5148855a9d95c00c6d4c21244dacedb4b87258373a2aa5d90903ca1184e77f7d265408568f7d250c9d2076c2eaf98736891e918eea09a0e3526a

    Download Submit
  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    19KB

    MD5

    3b21173a465c2190b11c3b865a6e02aa

    SHA1

    aac33e216030fedeaf0c9068eb5dd5d2b374cff2

    SHA256

    4213941095051b5c4b76e1fa17856b3eb955ba0fffacf59f459ecc2cc6e3cf32

    SHA512

    83f03d45307d44248e511d235c08f8e0fa2034bfc8939211c8c70dcb264d8273207609e3aef8a0f0b90cb7b168d7c8022b3e7883a99e6186102565a76cef4d29

    Download Submit
  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    19KB

    MD5

    92036de6d5c2f6a2d811dc78dbe7890e

    SHA1

    3f82963dd32da3b5ff12949a923974270a8209bd

    SHA256

    cb78c50cf11762fcba2154d796dd4afb38dc11c2610e452c7845b63002e1200a

    SHA512

    47905a5a48fd2f164381fe571fa91d8a4c3b8f95b942d4a4534edb7f58c63323401d054841c93281c46dbb39a4e534662d4574fb577b3a4d88a3c2ae8cab8f10

    Download Submit
  • C:\Windows\rss\csrss.exe
    Filesize

    4.2MB

    MD5

    c7ce23e7e7ce6b26feba88deaaa21ab4

    SHA1

    f848e9382b9b2a3c6077108ef683a3d492e7339f

    SHA256

    48200d67cc15595516b01ae0c0486302a9eef979ae3c5be2e825b687053b11a0

    SHA512

    5e799680478a5fbae9583045926947f436abd26481ff3b15adfe91c4db497e42750a9bb33bc6096e608da4a182713ef3da278bcd0158eaee06026f2ef2c9bf48

    Download Submit
  • C:\Windows\rss\csrss.exe
    Filesize

    4.2MB

    MD5

    c7ce23e7e7ce6b26feba88deaaa21ab4

    SHA1

    f848e9382b9b2a3c6077108ef683a3d492e7339f

    SHA256

    48200d67cc15595516b01ae0c0486302a9eef979ae3c5be2e825b687053b11a0

    SHA512

    5e799680478a5fbae9583045926947f436abd26481ff3b15adfe91c4db497e42750a9bb33bc6096e608da4a182713ef3da278bcd0158eaee06026f2ef2c9bf48

    Download Submit
  • memory/2924-248-0x00000000709E0000-0x0000000070A2C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2924-247-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2924-249-0x0000000071180000-0x00000000714D4000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/2924-259-0x000000007F720000-0x000000007F730000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2924-245-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2924-241-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3308-156-0x0000000002B10000-0x0000000002B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3308-139-0x0000000002B10000-0x0000000002B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3308-157-0x0000000007620000-0x0000000007652000-memory.dmp
    Filesize

    200KB

    Download
  • memory/3308-158-0x00000000708E0000-0x000000007092C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3308-159-0x0000000070A80000-0x0000000070DD4000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/3308-168-0x000000007F3C0000-0x000000007F3D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3308-170-0x0000000007600000-0x000000000761E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3308-171-0x0000000007750000-0x000000000775A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3308-172-0x0000000007870000-0x0000000007906000-memory.dmp
    Filesize

    600KB

    Download
  • memory/3308-174-0x00000000077B0000-0x00000000077BE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3308-135-0x0000000002AC0000-0x0000000002AF6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/3308-175-0x0000000007810000-0x000000000782A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3308-176-0x0000000007800000-0x0000000007808000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3308-136-0x0000000005270000-0x0000000005898000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/3308-137-0x00000000051D0000-0x00000000051F2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3308-138-0x0000000002B10000-0x0000000002B20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3308-140-0x00000000058A0000-0x0000000005906000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3308-141-0x0000000005980000-0x00000000059E6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3308-151-0x00000000060B0000-0x00000000060CE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3308-152-0x0000000006660000-0x00000000066A4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3308-155-0x0000000007480000-0x000000000749A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3308-154-0x0000000007AE0000-0x000000000815A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/3308-153-0x00000000073E0000-0x0000000007456000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4164-204-0x000000007EEB0000-0x000000007EEC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4164-190-0x0000000004F40000-0x0000000004F50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4164-191-0x0000000004F40000-0x0000000004F50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4164-192-0x0000000004F40000-0x0000000004F50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4164-193-0x00000000709E0000-0x0000000070A2C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4164-194-0x0000000071180000-0x00000000714D4000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4340-264-0x0000000000400000-0x000000000295A000-memory.dmp
    Filesize

    37.4MB

    Download
  • memory/4340-218-0x0000000000400000-0x000000000295A000-memory.dmp
    Filesize

    37.4MB

    Download
  • memory/4480-291-0x000000007F340000-0x000000007F350000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4480-281-0x0000000070AE0000-0x0000000070E34000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4480-280-0x0000000070940000-0x000000007098C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4480-279-0x0000000000960000-0x0000000000970000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4480-278-0x0000000000960000-0x0000000000970000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4480-277-0x0000000000960000-0x0000000000970000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4588-220-0x00000000023B0000-0x00000000023C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4588-219-0x00000000023B0000-0x00000000023C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4588-221-0x00000000709E0000-0x0000000070A2C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4588-223-0x00000000023B0000-0x00000000023C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4588-224-0x000000007F0B0000-0x000000007F0C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4588-222-0x0000000071180000-0x00000000714D4000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4644-180-0x0000000000400000-0x000000000295A000-memory.dmp
    Filesize

    37.4MB

    Download
  • memory/4644-173-0x0000000000400000-0x000000000295A000-memory.dmp
    Filesize

    37.4MB

    Download
  • memory/4644-134-0x0000000004BE0000-0x00000000054CB000-memory.dmp
    Filesize

    8.9MB

    Download