Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2023 12:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f93570e38218ed19f5bb11f232309d26fe71fd0b2b108aa1e273cacec9c68dd8.exe

  • Size

    4.2MB

  • MD5

    15851aef64e9d9a2dd03b5da99e1f943

  • SHA1

    a07155e27a95f4534a09bda15d8187f26e27c97e

  • SHA256

    f93570e38218ed19f5bb11f232309d26fe71fd0b2b108aa1e273cacec9c68dd8

  • SHA512

    4442e5e0e3dc2bf6b4d3010213c914229274dc019c47569767ebe1df02c10d7ddb2a88440d3c199324750bc47ad4fd7e81fde6b506fa023c1de2c6e44c79fb07

  • SSDEEP

    98304:75utYctoVARBg2MaaK1g5FJFgQb/OdplY5OuY4di3MrYj:742GQAvSM1iXFgQUplwOP4IMrYj

Score
10/10
gluptebadiscoverydropperevasionloaderpersistence

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 5 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f93570e38218ed19f5bb11f232309d26fe71fd0b2b108aa1e273cacec9c68dd8.exe
    "C:\Users\Admin\AppData\Local\Temp\f93570e38218ed19f5bb11f232309d26fe71fd0b2b108aa1e273cacec9c68dd8.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5012
    • C:\Users\Admin\AppData\Local\Temp\f93570e38218ed19f5bb11f232309d26fe71fd0b2b108aa1e273cacec9c68dd8.exe
      "C:\Users\Admin\AppData\Local\Temp\f93570e38218ed19f5bb11f232309d26fe71fd0b2b108aa1e273cacec9c68dd8.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4644
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4020
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1208
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3300
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3340
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4976
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:1152
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:1236
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4728

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vt5zlucz.klw.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      dbc0b6f99b5a27b8dd963456e05729cf

      SHA1

      227fb9898d89b518c111ac3f8e1bb22e363e91af

      SHA256

      77fbc89700731ab5ad9341aa5b3c707c7611d6ad667371a7b37cc558388d0e95

      SHA512

      05a2fa7b2890fac41949c08cb556aa5951bf76ae7e83c809deb8be73c5b737d951849c9f1a3d9d95769833e9f485427b8736fab17f1c3aee22cf7c6bb67cc520

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      218063d4c801a04c03c96788bf0c09df

      SHA1

      f4343464f9a71ef52699c8eeeabf84e12977657f

      SHA256

      1e47178eee3a19f2c6d36623d2306b93914aa57929b0014558d2bde53af1a4a7

      SHA512

      93aba80890c665da18385dcef95ee33e49c26fa8b1b9c00f16489aa744fe5b61e07f17a2a1503d5cec65279c025ca5d8d23246c92ed9a85607340f888e607be8

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      799e8b8b8896d5ae35c3382055cb3538

      SHA1

      aca6e22d02fd05b068522dac9f6ed5a8109711cf

      SHA256

      a65d6b116da73566686061d504e39f4afaae9b80a2f275b0d81e2f6026af322a

      SHA512

      ebc619df4e7574ab67049559f48991bb2cb4881bfa98e24eb2d4f63314f2b0efdc7673c468a029eb9e3d0eb58247802cf0cf1e707c082ca7f14fa3f1a09e1a42

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      72f53c4a6fab879f90a75a4dc60023eb

      SHA1

      28278585f808719d9d4dcca988a4767de43cd261

      SHA256

      e8be46d36e7d12ce6d6de5c0eae2b1b5f0d8b99ade667223b2645aef05d6117d

      SHA512

      7e60928601dfc1eb0e134a3dba2756553c2acbed599877c4f5d949f23261f19f0c22818cf1aa1b4e060054bf20a43e9f352d39f0e81bdebd03da9637b0f21776

      Download Submit
    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      15851aef64e9d9a2dd03b5da99e1f943

      SHA1

      a07155e27a95f4534a09bda15d8187f26e27c97e

      SHA256

      f93570e38218ed19f5bb11f232309d26fe71fd0b2b108aa1e273cacec9c68dd8

      SHA512

      4442e5e0e3dc2bf6b4d3010213c914229274dc019c47569767ebe1df02c10d7ddb2a88440d3c199324750bc47ad4fd7e81fde6b506fa023c1de2c6e44c79fb07

      Download Submit
    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      15851aef64e9d9a2dd03b5da99e1f943

      SHA1

      a07155e27a95f4534a09bda15d8187f26e27c97e

      SHA256

      f93570e38218ed19f5bb11f232309d26fe71fd0b2b108aa1e273cacec9c68dd8

      SHA512

      4442e5e0e3dc2bf6b4d3010213c914229274dc019c47569767ebe1df02c10d7ddb2a88440d3c199324750bc47ad4fd7e81fde6b506fa023c1de2c6e44c79fb07

      Download Submit
    • memory/636-218-0x0000000000400000-0x0000000002959000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/636-267-0x0000000000400000-0x0000000002959000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/2604-134-0x0000000004C70000-0x000000000555B000-memory.dmp
      Filesize

      8.9MB

      Download
    • memory/2604-173-0x0000000000400000-0x0000000002959000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/2604-204-0x0000000000400000-0x0000000002959000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/3300-233-0x000000007FBF0000-0x000000007FC00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3300-223-0x00000000709E0000-0x0000000070D34000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3300-222-0x0000000070260000-0x00000000702AC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3300-221-0x0000000002730000-0x0000000002740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3300-220-0x0000000002730000-0x0000000002740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3300-219-0x0000000002730000-0x0000000002740000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3340-249-0x00000000045E0000-0x00000000045F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3340-236-0x00000000045E0000-0x00000000045F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3340-251-0x000000007F840000-0x000000007F850000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3340-250-0x00000000703E0000-0x0000000070734000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3340-248-0x0000000070260000-0x00000000702AC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3340-237-0x00000000045E0000-0x00000000045F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4644-203-0x000000007FC00000-0x000000007FC10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4644-180-0x0000000004570000-0x0000000004580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4644-190-0x0000000004570000-0x0000000004580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4644-191-0x0000000004570000-0x0000000004580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4644-192-0x0000000070260000-0x00000000702AC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4644-193-0x00000000709E0000-0x0000000070D34000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4728-306-0x0000000002F40000-0x0000000002F50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4728-308-0x0000000070910000-0x0000000070C64000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4728-307-0x0000000070180000-0x00000000701CC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4728-318-0x0000000002F40000-0x0000000002F50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4728-305-0x0000000002F40000-0x0000000002F50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4976-279-0x0000000004830000-0x0000000004840000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4976-292-0x000000007F060000-0x000000007F070000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4976-291-0x0000000004830000-0x0000000004840000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4976-281-0x00000000703E0000-0x0000000070734000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4976-280-0x0000000070260000-0x00000000702AC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4976-278-0x0000000004830000-0x0000000004840000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5012-157-0x0000000007510000-0x0000000007542000-memory.dmp
      Filesize

      200KB

      Download
    • memory/5012-176-0x00000000076F0000-0x00000000076F8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/5012-141-0x0000000005800000-0x0000000005866000-memory.dmp
      Filesize

      408KB

      Download
    • memory/5012-174-0x00000000076B0000-0x00000000076BE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/5012-170-0x00000000074F0000-0x000000000750E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/5012-140-0x0000000005790000-0x00000000057F6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/5012-172-0x0000000007750000-0x00000000077E6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/5012-139-0x00000000050B0000-0x00000000050D2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/5012-138-0x0000000004B20000-0x0000000004B30000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5012-137-0x0000000004B20000-0x0000000004B30000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5012-136-0x0000000005160000-0x0000000005788000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/5012-175-0x0000000007700000-0x000000000771A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/5012-151-0x0000000005F90000-0x0000000005FAE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/5012-152-0x0000000006550000-0x0000000006594000-memory.dmp
      Filesize

      272KB

      Download
    • memory/5012-153-0x00000000072C0000-0x0000000007336000-memory.dmp
      Filesize

      472KB

      Download
    • memory/5012-154-0x00000000079C0000-0x000000000803A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/5012-156-0x0000000004B20000-0x0000000004B30000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5012-135-0x0000000002650000-0x0000000002686000-memory.dmp
      Filesize

      216KB

      Download
    • memory/5012-155-0x0000000007360000-0x000000000737A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/5012-159-0x000000007F9F0000-0x000000007FA00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5012-158-0x0000000070260000-0x00000000702AC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/5012-160-0x0000000070400000-0x0000000070754000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/5012-171-0x0000000007640000-0x000000000764A000-memory.dmp
      Filesize

      40KB

      Download