Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20230831-en -
resource tags
-
submitted
29-09-2023 23:44
General
-
Target
edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
-
Size
4.1MB
-
MD5
e90424aede26e1dab377e4fa67d993bd
-
SHA1
beaa664c8ae8862d51a38aad3274213c3392ab8f
-
SHA256
edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a
-
SHA512
fb7186160f8cd8dbfb386df97d1c41c402f6343d3a543f2662e2b25a037386b31c974337680fade5e62f6bae65e59815ecb5a85b15a2a6d056c52841407210c2
-
SSDEEP
98304:oRTkDuHgmYx/lUN44oPlaFTRDd8Vl17ZH+qKHzyof587dicDjg0:SumYx/lUN44oEJmBCTyoq7dicB
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 21 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe"C:\Users\Admin\AppData\Local\Temp\edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe"C:\Users\Admin\AppData\Local\Temp\edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe"2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3pbqmrwp.uth.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD52ce388cf40305923633532c53aafbfc4
SHA1507816e9054d02c1ae648fc3e0cb95d2efc16d3d
SHA25682bd8c210a5b0aff40b29f493d7906ef2baf85219ddd815087881017b79b63b0
SHA512106be9e1b8f261ad7581c0c055cdbffa67f9cf9c362d632bf2bfe79ba46d87d5a47e021a24c74432cd331e0db4b92ca81ab00d59b8a836c9f7be723143d65c65
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD59f8139cfc2aa05d5ba84004e5b093285
SHA1f64f90383b24f5122a553177b94ece65e9a832e3
SHA256efb3198d568b0cfc4e10dac5b540698cba4c05b0e841bf235778f34ed2e5eadd
SHA5124c0b75281f25a1ab13fac552d49cba0fd1f5e6d62ed36c3356a988f196aace042749d6f8bfaabf8457f340500aace71214a4589c07c3e65cd9f618ab4d9c10ff
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD584aecdce14f369bbdee17faa4eca303b
SHA172da5791d5dd40de414a2cd57195a6477696081b
SHA256913e4d6c5b650a434bc426bdec4702925a4c065c10a08a45fdaad9beb04f58a6
SHA512c45cf25bd4e785302ce5eabd5d8c5f6e8c4756643a7c304c3aed83e7b01dd5e3f66fa16dbe9072f187d9304c4efa1c5093223de5661b4adf4d54a87d04e7a656
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5f0d05f7b363feec7c7bcff13de7038ad
SHA1d0caa4856c7b619638390df461474262e31a93f1
SHA25656815b1adc79b61b127cf4359415a33d25884980c66a5f3fad574a113c589b49
SHA512371f9958cdc30e5edc0baaa74cad0ef4ed23b1e9827b03feaf452d10dbe1b509edc9a2bc1d89fb82acee68198c14359fc6651de0829cb68d4026acfbc31b4278
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD516acf995b443e1a57a717896192fd115
SHA106878eae8b5b4af51552649668a1dbd8fc849f3f
SHA256210cfd0d25713827b3ddf7077e0ea5e709716c58ac094f3cb87c681d974e8861
SHA51227f2bb4bf0154a66ac5fc774039cff1c2858212bac20b63e1992096c29b2fabe189ec7ddb6a2ec23dc5445e3e7294fe88b18b7a804fa58400feae78e91c19e91
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD5e90424aede26e1dab377e4fa67d993bd
SHA1beaa664c8ae8862d51a38aad3274213c3392ab8f
SHA256edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a
SHA512fb7186160f8cd8dbfb386df97d1c41c402f6343d3a543f2662e2b25a037386b31c974337680fade5e62f6bae65e59815ecb5a85b15a2a6d056c52841407210c2
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD5e90424aede26e1dab377e4fa67d993bd
SHA1beaa664c8ae8862d51a38aad3274213c3392ab8f
SHA256edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a
SHA512fb7186160f8cd8dbfb386df97d1c41c402f6343d3a543f2662e2b25a037386b31c974337680fade5e62f6bae65e59815ecb5a85b15a2a6d056c52841407210c2
-
memory/2616-1056-0x00000000003C0000-0x00000000003D0000-memory.dmpFilesize
64KB
-
memory/2616-1055-0x00000000003C0000-0x00000000003D0000-memory.dmpFilesize
64KB
-
memory/2616-1054-0x0000000073140000-0x000000007382E000-memory.dmpFilesize
6.9MB
-
memory/2616-1057-0x0000000007390000-0x00000000076E0000-memory.dmpFilesize
3.3MB
-
memory/2616-1059-0x0000000007E40000-0x0000000007E8B000-memory.dmpFilesize
300KB
-
memory/2616-1078-0x000000006FE70000-0x000000006FEBB000-memory.dmpFilesize
300KB
-
memory/2976-803-0x00000000731E0000-0x00000000738CE000-memory.dmpFilesize
6.9MB
-
memory/2976-831-0x0000000007050000-0x0000000007060000-memory.dmpFilesize
64KB
-
memory/2976-826-0x000000006FF60000-0x00000000702B0000-memory.dmpFilesize
3.3MB
-
memory/2976-825-0x000000006FF10000-0x000000006FF5B000-memory.dmpFilesize
300KB
-
memory/2976-1044-0x00000000731E0000-0x00000000738CE000-memory.dmpFilesize
6.9MB
-
memory/2976-804-0x0000000007050000-0x0000000007060000-memory.dmpFilesize
64KB
-
memory/3396-15-0x0000000008320000-0x000000000836B000-memory.dmpFilesize
300KB
-
memory/3396-66-0x0000000008FF0000-0x0000000009066000-memory.dmpFilesize
472KB
-
memory/3396-84-0x0000000009EA0000-0x0000000009F45000-memory.dmpFilesize
660KB
-
memory/3396-85-0x0000000006E10000-0x0000000006E20000-memory.dmpFilesize
64KB
-
memory/3396-86-0x000000000A0A0000-0x000000000A134000-memory.dmpFilesize
592KB
-
memory/3396-157-0x00000000730E0000-0x00000000737CE000-memory.dmpFilesize
6.9MB
-
memory/3396-280-0x0000000006D30000-0x0000000006D4A000-memory.dmpFilesize
104KB
-
memory/3396-285-0x0000000006D20000-0x0000000006D28000-memory.dmpFilesize
32KB
-
memory/3396-294-0x0000000006E10000-0x0000000006E20000-memory.dmpFilesize
64KB
-
memory/3396-304-0x00000000730E0000-0x00000000737CE000-memory.dmpFilesize
6.9MB
-
memory/3396-5-0x00000000730E0000-0x00000000737CE000-memory.dmpFilesize
6.9MB
-
memory/3396-78-0x000000006FE40000-0x0000000070190000-memory.dmpFilesize
3.3MB
-
memory/3396-77-0x000000006FDF0000-0x000000006FE3B000-memory.dmpFilesize
300KB
-
memory/3396-76-0x000000007F9B0000-0x000000007F9C0000-memory.dmpFilesize
64KB
-
memory/3396-75-0x0000000009E60000-0x0000000009E93000-memory.dmpFilesize
204KB
-
memory/3396-6-0x0000000001250000-0x0000000001286000-memory.dmpFilesize
216KB
-
memory/3396-7-0x0000000006E10000-0x0000000006E20000-memory.dmpFilesize
64KB
-
memory/3396-79-0x0000000009E40000-0x0000000009E5E000-memory.dmpFilesize
120KB
-
memory/3396-35-0x0000000008470000-0x00000000084AC000-memory.dmpFilesize
240KB
-
memory/3396-8-0x0000000006E10000-0x0000000006E20000-memory.dmpFilesize
64KB
-
memory/3396-14-0x0000000007ED0000-0x0000000007EEC000-memory.dmpFilesize
112KB
-
memory/3396-13-0x0000000007B80000-0x0000000007ED0000-memory.dmpFilesize
3.3MB
-
memory/3396-9-0x0000000007450000-0x0000000007A78000-memory.dmpFilesize
6.2MB
-
memory/3396-12-0x0000000007360000-0x00000000073C6000-memory.dmpFilesize
408KB
-
memory/3396-11-0x0000000007210000-0x0000000007276000-memory.dmpFilesize
408KB
-
memory/3396-10-0x0000000007070000-0x0000000007092000-memory.dmpFilesize
136KB
-
memory/3400-0-0x0000000002A30000-0x0000000002E28000-memory.dmpFilesize
4.0MB
-
memory/3400-16-0x0000000002A30000-0x0000000002E28000-memory.dmpFilesize
4.0MB
-
memory/3400-67-0x0000000002E30000-0x000000000371B000-memory.dmpFilesize
8.9MB
-
memory/3400-70-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/3400-305-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/3400-2-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/3400-1-0x0000000002E30000-0x000000000371B000-memory.dmpFilesize
8.9MB
-
memory/3700-1050-0x0000000003000000-0x00000000033F8000-memory.dmpFilesize
4.0MB
-
memory/3700-1800-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/3700-1791-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/3700-1804-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/3700-1797-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/3700-1798-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/3700-1799-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/3700-1299-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/3700-1051-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/3700-1803-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/3700-1802-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/3700-1801-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/3736-559-0x00000000731E0000-0x00000000738CE000-memory.dmpFilesize
6.9MB
-
memory/3736-560-0x0000000006780000-0x0000000006790000-memory.dmpFilesize
64KB
-
memory/3736-561-0x0000000006780000-0x0000000006790000-memory.dmpFilesize
64KB
-
memory/3736-581-0x000000006FF10000-0x000000006FF5B000-memory.dmpFilesize
300KB
-
memory/3736-582-0x000000006FF60000-0x00000000702B0000-memory.dmpFilesize
3.3MB
-
memory/3736-800-0x00000000731E0000-0x00000000738CE000-memory.dmpFilesize
6.9MB
-
memory/3736-587-0x0000000006780000-0x0000000006790000-memory.dmpFilesize
64KB
-
memory/4804-306-0x0000000002AB0000-0x0000000002EA8000-memory.dmpFilesize
4.0MB
-
memory/4804-554-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/4804-824-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/4804-555-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/4804-1048-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/4804-307-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/4992-333-0x000000006FF60000-0x00000000702B0000-memory.dmpFilesize
3.3MB
-
memory/4992-312-0x0000000007A70000-0x0000000007DC0000-memory.dmpFilesize
3.3MB
-
memory/4992-338-0x0000000009560000-0x0000000009605000-memory.dmpFilesize
660KB
-
memory/4992-339-0x0000000006E00000-0x0000000006E10000-memory.dmpFilesize
64KB
-
memory/4992-553-0x00000000731E0000-0x00000000738CE000-memory.dmpFilesize
6.9MB
-
memory/4992-332-0x000000006FF10000-0x000000006FF5B000-memory.dmpFilesize
300KB
-
memory/4992-313-0x0000000008370000-0x00000000083BB000-memory.dmpFilesize
300KB
-
memory/4992-310-0x00000000731E0000-0x00000000738CE000-memory.dmpFilesize
6.9MB
-
memory/4992-311-0x0000000006E00000-0x0000000006E10000-memory.dmpFilesize
64KB