Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
08-06-2023 12:50
General
-
Target
6ced1dc3a8171332006da8976aba5fb4052f450a02f67de243fac2361a009b97.exe
-
Size
4.2MB
-
MD5
147308c25da30689734d6ae427671a0e
-
SHA1
74787f98f301a726c0c407d91dc72c7215d6946a
-
SHA256
6ced1dc3a8171332006da8976aba5fb4052f450a02f67de243fac2361a009b97
-
SHA512
7c08733f754b3c5e3ff86f9dbaec89edea06aa4e2b69295fd83ee372ff38079318ad39ff12fff73a278f5acbedde8f19710c7148b349101fb49ba80158c317dc
-
SSDEEP
98304:N4Oukmwozu5N1sjvc6C5HzAFpDV4v2Gff887WFFSEVpe1l6UqT5uNjp:0xw0u5Xsj06C5HzAFtV4vjftWfSDTd4k
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 16 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ced1dc3a8171332006da8976aba5fb4052f450a02f67de243fac2361a009b97.exe"C:\Users\Admin\AppData\Local\Temp\6ced1dc3a8171332006da8976aba5fb4052f450a02f67de243fac2361a009b97.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6ced1dc3a8171332006da8976aba5fb4052f450a02f67de243fac2361a009b97.exe"C:\Users\Admin\AppData\Local\Temp\6ced1dc3a8171332006da8976aba5fb4052f450a02f67de243fac2361a009b97.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djfcpx02.a5e.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD524ed1ed26646f0e918f526b1c91a8d0d
SHA16e5cb73cbdf21a3847e13caabb46f95aef6b36cd
SHA2565befd0ff88823433f6794980cdcc048eeb76b0a62d2a2c0d2a38f0be08e86924
SHA51293469bc13155d8c17061e084047294a7b8ee4e4b0884cd99d411195f1b4abf33b68da7a0a0cea5a57606cfa31aacc86dcdde15ca038dcf7183e10a117bbbaba6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5f5149eab872ee463fbac0fd928b18930
SHA154608df725da92f12b220b7463199218e4cab17c
SHA25630fa240f02017f31c6b24fb693709b3640aace9a57fc610cebd765d0a7863f3f
SHA512e801a942852343bb39fdd50251e76c03e81f0c8553887025972291020b9e2c1342f6c4cab7817155decbf8407e5baed5c0ad826cf3358f1f4cebd5c35c7782d8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD59160eb9aa28b68ea47e56aa389668a9e
SHA1d26b861c6014ac0755995cb7b60e5646be54c164
SHA25608396fd75b1691c1fbe2fa9c06d6aff4e19a5729888baa3e980de9d20367a52a
SHA512ce2e28e99e7d62c5287e341cd07e2f879f1ee3ed3e790e296fb9fdce2d13ecc8c0864e640bd9152425e75fbf9eb870953890318a8320e28365689a8170d2c1f9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD53f39593b5550585e3153e8fe9d862802
SHA14460828b3086e2e37d3b242ecb60fd8d4e04a60b
SHA256d0068c8692301567fca357ed1f2caa927eeab19f498951c30a7d25e67ce99f3d
SHA512a71dd8e9fb221190bdc2bf96179ad594e9d84d3b960a8af640b1afef7cd8c7ff33d43bb1405b5b8f6c9b4e9f2b420a6d4513527a1b2841ae6e7f065e4fe971ac
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5f19881d077fbd1d69174be5826962358
SHA1f53406c818979fc5f575e0c7ae91ef60f72b4c77
SHA256635866fede9fd1f1beb6a734743587b212f119c1aa87f963e0ff7abdb1646ecd
SHA512cddd5f0c34c3e8b294aa545d0bd13311f94285db906e2d29bb4ae43711d9f1d55bcaa24ea8c61d22187dcdd59f656bc107b77b9b6a70d8e47d7f002105136743
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD5147308c25da30689734d6ae427671a0e
SHA174787f98f301a726c0c407d91dc72c7215d6946a
SHA2566ced1dc3a8171332006da8976aba5fb4052f450a02f67de243fac2361a009b97
SHA5127c08733f754b3c5e3ff86f9dbaec89edea06aa4e2b69295fd83ee372ff38079318ad39ff12fff73a278f5acbedde8f19710c7148b349101fb49ba80158c317dc
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD5147308c25da30689734d6ae427671a0e
SHA174787f98f301a726c0c407d91dc72c7215d6946a
SHA2566ced1dc3a8171332006da8976aba5fb4052f450a02f67de243fac2361a009b97
SHA5127c08733f754b3c5e3ff86f9dbaec89edea06aa4e2b69295fd83ee372ff38079318ad39ff12fff73a278f5acbedde8f19710c7148b349101fb49ba80158c317dc
-
memory/1192-179-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/1192-157-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/1192-134-0x0000000005260000-0x0000000005B4B000-memory.dmpFilesize
8.9MB
-
memory/2244-266-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/2244-232-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/2848-204-0x000000007F770000-0x000000007F780000-memory.dmpFilesize
64KB
-
memory/2848-194-0x0000000070DA0000-0x00000000710F4000-memory.dmpFilesize
3.3MB
-
memory/2848-193-0x0000000070600000-0x000000007064C000-memory.dmpFilesize
304KB
-
memory/2848-192-0x0000000004BB0000-0x0000000004BC0000-memory.dmpFilesize
64KB
-
memory/2848-191-0x0000000004BB0000-0x0000000004BC0000-memory.dmpFilesize
64KB
-
memory/2848-190-0x0000000004BB0000-0x0000000004BC0000-memory.dmpFilesize
64KB
-
memory/3256-221-0x0000000070600000-0x000000007064C000-memory.dmpFilesize
304KB
-
memory/3256-220-0x0000000004BC0000-0x0000000004BD0000-memory.dmpFilesize
64KB
-
memory/3256-219-0x0000000004BC0000-0x0000000004BD0000-memory.dmpFilesize
64KB
-
memory/3256-218-0x0000000004BC0000-0x0000000004BD0000-memory.dmpFilesize
64KB
-
memory/3256-222-0x0000000070DC0000-0x0000000071114000-memory.dmpFilesize
3.3MB
-
memory/3256-233-0x000000007F750000-0x000000007F760000-memory.dmpFilesize
64KB
-
memory/3436-278-0x0000000004B20000-0x0000000004B30000-memory.dmpFilesize
64KB
-
memory/3436-290-0x0000000004B20000-0x0000000004B30000-memory.dmpFilesize
64KB
-
memory/3436-280-0x0000000070D00000-0x0000000071054000-memory.dmpFilesize
3.3MB
-
memory/3436-267-0x0000000004B20000-0x0000000004B30000-memory.dmpFilesize
64KB
-
memory/3436-279-0x0000000070560000-0x00000000705AC000-memory.dmpFilesize
304KB
-
memory/3436-291-0x000000007FDD0000-0x000000007FDE0000-memory.dmpFilesize
64KB
-
memory/3480-172-0x0000000007B80000-0x0000000007B8A000-memory.dmpFilesize
40KB
-
memory/3480-138-0x0000000002EA0000-0x0000000002EB0000-memory.dmpFilesize
64KB
-
memory/3480-175-0x0000000007CF0000-0x0000000007D0A000-memory.dmpFilesize
104KB
-
memory/3480-174-0x0000000007BF0000-0x0000000007BFE000-memory.dmpFilesize
56KB
-
memory/3480-173-0x0000000007C50000-0x0000000007CE6000-memory.dmpFilesize
600KB
-
memory/3480-171-0x0000000007A20000-0x0000000007A3E000-memory.dmpFilesize
120KB
-
memory/3480-161-0x000000007F2E0000-0x000000007F2F0000-memory.dmpFilesize
64KB
-
memory/3480-160-0x0000000070680000-0x00000000709D4000-memory.dmpFilesize
3.3MB
-
memory/3480-159-0x0000000070500000-0x000000007054C000-memory.dmpFilesize
304KB
-
memory/3480-135-0x0000000002F30000-0x0000000002F66000-memory.dmpFilesize
216KB
-
memory/3480-176-0x0000000007C30000-0x0000000007C38000-memory.dmpFilesize
32KB
-
memory/3480-140-0x0000000005DF0000-0x0000000005E56000-memory.dmpFilesize
408KB
-
memory/3480-136-0x0000000005750000-0x0000000005D78000-memory.dmpFilesize
6.2MB
-
memory/3480-137-0x0000000002EA0000-0x0000000002EB0000-memory.dmpFilesize
64KB
-
memory/3480-139-0x0000000005640000-0x0000000005662000-memory.dmpFilesize
136KB
-
memory/3480-158-0x0000000007A40000-0x0000000007A72000-memory.dmpFilesize
200KB
-
memory/3480-156-0x0000000007890000-0x00000000078AA000-memory.dmpFilesize
104KB
-
memory/3480-155-0x0000000007EF0000-0x000000000856A000-memory.dmpFilesize
6.5MB
-
memory/3480-154-0x0000000002EA0000-0x0000000002EB0000-memory.dmpFilesize
64KB
-
memory/3480-153-0x00000000077F0000-0x0000000007866000-memory.dmpFilesize
472KB
-
memory/3480-152-0x0000000007620000-0x0000000007664000-memory.dmpFilesize
272KB
-
memory/3480-151-0x00000000064F0000-0x000000000650E000-memory.dmpFilesize
120KB
-
memory/3480-141-0x0000000005ED0000-0x0000000005F36000-memory.dmpFilesize
408KB
-
memory/3948-305-0x0000000070480000-0x00000000704CC000-memory.dmpFilesize
304KB
-
memory/3948-306-0x0000000070620000-0x0000000070974000-memory.dmpFilesize
3.3MB
-
memory/3948-318-0x000000007EE60000-0x000000007EE70000-memory.dmpFilesize
64KB
-
memory/3948-303-0x0000000004FF0000-0x0000000005000000-memory.dmpFilesize
64KB
-
memory/3948-304-0x0000000004FF0000-0x0000000005000000-memory.dmpFilesize
64KB
-
memory/3948-317-0x0000000004FF0000-0x0000000005000000-memory.dmpFilesize
64KB
-
memory/4644-364-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/4644-307-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/4644-360-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/4644-362-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/4644-358-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/4644-356-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/4644-366-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/4644-354-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/4644-368-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/4644-370-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/4644-351-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/4648-334-0x0000000070480000-0x00000000704CC000-memory.dmpFilesize
304KB
-
memory/4648-345-0x000000007F200000-0x000000007F210000-memory.dmpFilesize
64KB
-
memory/4648-335-0x0000000070600000-0x0000000070954000-memory.dmpFilesize
3.3MB
-
memory/4648-333-0x0000000004980000-0x0000000004990000-memory.dmpFilesize
64KB
-
memory/4648-331-0x0000000004980000-0x0000000004990000-memory.dmpFilesize
64KB
-
memory/4648-330-0x0000000004980000-0x0000000004990000-memory.dmpFilesize
64KB
-
memory/4692-259-0x000000007F400000-0x000000007F410000-memory.dmpFilesize
64KB
-
memory/4692-249-0x0000000070780000-0x0000000070AD4000-memory.dmpFilesize
3.3MB
-
memory/4692-248-0x0000000070600000-0x000000007064C000-memory.dmpFilesize
304KB
-
memory/4692-247-0x0000000004710000-0x0000000004720000-memory.dmpFilesize
64KB
-
memory/4692-246-0x0000000004710000-0x0000000004720000-memory.dmpFilesize
64KB
-
memory/4692-245-0x0000000004710000-0x0000000004720000-memory.dmpFilesize
64KB