Analysis
-
max time kernel
1s -
max time network
297s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
04-10-2023 04:50
Static task
static1
Behavioral task
behavioral1
Sample
ce7b0783e87e1974213864280e37b1ab730e793ab7dcc5412259f38d534d23e3.exe
Resource
win7-20230831-en
General
-
Target
ce7b0783e87e1974213864280e37b1ab730e793ab7dcc5412259f38d534d23e3.exe
-
Size
4.2MB
-
MD5
3846106708654eaa9433f717849774d8
-
SHA1
a8c36621b19991da6f45b73e5287ed77178baa13
-
SHA256
ce7b0783e87e1974213864280e37b1ab730e793ab7dcc5412259f38d534d23e3
-
SHA512
9535319edf324b91ecfb59352db745f9e9c67ea5f9fa850473c9b8eb60b116ea87db39aa15bf3f4090db9f73832781af8fa57202e30dadbf8952dda69dfbca7f
-
SSDEEP
98304:eSkVqNhRHpKBRuAihDmYYmAkw9jzqk4WR+erAuF:sVqYuAiV0d9je5ns
Malware Config
Signatures
-
Glupteba payload 28 IoCs
resource yara_rule behavioral2/memory/5048-2-0x0000000004900000-0x00000000051EB000-memory.dmp family_glupteba behavioral2/memory/5048-3-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/5048-83-0x0000000004900000-0x00000000051EB000-memory.dmp family_glupteba behavioral2/memory/5048-299-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/5048-303-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/1864-306-0x00000000047D0000-0x00000000050BB000-memory.dmp family_glupteba behavioral2/memory/1864-307-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/1864-562-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/1864-903-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/1864-1050-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1056-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1795-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1801-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1802-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1811-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1813-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1815-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1817-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1819-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1821-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1823-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1825-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1827-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1829-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1831-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1833-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1835-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba behavioral2/memory/4624-1837-0x0000000000400000-0x0000000002675000-memory.dmp family_glupteba -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2408 netsh.exe -
resource yara_rule behavioral2/files/0x000c00000000063f-1806.dat upx behavioral2/files/0x000c00000000063f-1805.dat upx behavioral2/files/0x000c00000000063f-1808.dat upx behavioral2/memory/3428-1810-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1392-1812-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1392-1816-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2784 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2096 schtasks.exe 3968 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce7b0783e87e1974213864280e37b1ab730e793ab7dcc5412259f38d534d23e3.exe"C:\Users\Admin\AppData\Local\Temp\ce7b0783e87e1974213864280e37b1ab730e793ab7dcc5412259f38d534d23e3.exe"1⤵PID:5048
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\ce7b0783e87e1974213864280e37b1ab730e793ab7dcc5412259f38d534d23e3.exe"C:\Users\Admin\AppData\Local\Temp\ce7b0783e87e1974213864280e37b1ab730e793ab7dcc5412259f38d534d23e3.exe"2⤵PID:1864
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:5052
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:4280
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:2784
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:2288
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:4624
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:5072
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4236
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4052
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2096
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:1632
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3968
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:3428
-
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
PID:2408
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)1⤵
- Launches sc.exe
PID:2784
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)1⤵PID:4028
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:1392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD54014541be58876cf916f8d67b5c28acf
SHA1d689e495e832e4cef2843eb759f58d0e9d74b284
SHA2561adb3f0701da2a76e31e8ffefcde809e86665a8dc90e37e36448780ca2d73fed
SHA5128c198dabc3bf4d80e5c47ea2a72e9f276275c193cc91fc8ab2c2fef373ab94c18abf4c86a2d9a829a07226560c70990621f0338a9145cd0677bf04e416497b89
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD56607b660c1aa711fcbd52fd3b9938fc2
SHA17030d02fd06f433ace8b9e0dbe892a7d96d7d64f
SHA256937bc9d76823ce4a4ce9d3dd989b2832de996d050de8657cbf4d956253a7997f
SHA512a238dd5d3bbb2e90c4062fe4c16c79d3b8be160a486c84f1c710a634c95ef468c7d1676333bef148e71a63df044c79f64dcaf7950452a823136219d8d86eb731
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD570ca9f70b59f9c52ba5966756b0da81a
SHA1c35ea8b6109cc5a8ed339d7a120be681dcbd058d
SHA256d195a07dca8c091bf4976869f8067dcd80c77b632b6dda340b08cde9bbc02fce
SHA512a691c3b9711fe55db357998756be7d7dd59d9c0a8c26833363f09c621752ca04678212843e04deac4838f86024fbd96dd3969ff22c204a6ccfee0cee5cae5bce
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD524cc8674ee8fa672417ef366c6a660ba
SHA18c57cb29b4e1baf3e1cc8709f5d8977b0b70ecbe
SHA2567fe815023603a675f36c67aecfad228d9bcd7c2fc409bc21f8c81a394fcfed46
SHA51232c154806ff10679cff5c0662c9e29484f4eeb81723d6ab447f3c9c913afda870fa577c43008d186f53442fd5322a17ada5880c847c042286cf87a202d49e2a9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD54ed136f51f8a935b520ac88fee14ef3f
SHA1b162054ad0dc34dc5ee874ab7c65939d50c7520e
SHA2566bf815435e0db8bb29208be802726004fb801ad660d26a4887f1511f7721c3bd
SHA5121a9d2e80be1b72ec2a37cc959329b2c53872fa7392c19542f0dc9861d6cb6238f35967bc334947b759a2a4ae8550b01bbebabc0fb47d563a34f96bae06374b31
-
Filesize
4.2MB
MD53846106708654eaa9433f717849774d8
SHA1a8c36621b19991da6f45b73e5287ed77178baa13
SHA256ce7b0783e87e1974213864280e37b1ab730e793ab7dcc5412259f38d534d23e3
SHA5129535319edf324b91ecfb59352db745f9e9c67ea5f9fa850473c9b8eb60b116ea87db39aa15bf3f4090db9f73832781af8fa57202e30dadbf8952dda69dfbca7f
-
Filesize
4.2MB
MD53846106708654eaa9433f717849774d8
SHA1a8c36621b19991da6f45b73e5287ed77178baa13
SHA256ce7b0783e87e1974213864280e37b1ab730e793ab7dcc5412259f38d534d23e3
SHA5129535319edf324b91ecfb59352db745f9e9c67ea5f9fa850473c9b8eb60b116ea87db39aa15bf3f4090db9f73832781af8fa57202e30dadbf8952dda69dfbca7f
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec