glupteba | d2afb83db20eac5df37c62e71a0dec52cd22ae5713164e9969efeff246c5d252

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2023, 06:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d2afb83db20eac5df37c62e71a0dec52cd22ae5713164e9969efeff246c5d252.exe
Size

4.1MB
MD5

dd1d37fb598945d7b95fae8dd6d5df59
SHA1

512a75e5100f03b9f812d83a94e5de41f18067d6
SHA256

d2afb83db20eac5df37c62e71a0dec52cd22ae5713164e9969efeff246c5d252
SHA512

da38fd57f932bb9a32b27f7b6590b384357c11bdb7c7f19dbac20e719944fe43bc5fbf79c5cd90f1f440dc1cb6db4680ebbaf4059ce418504fdcb6a346751cda
SSDEEP

98304:qSYWqeM7Y2yEDV2ikZ2ZC0xdyOvP6MD68EZdUYa0rTU6ypZJ4Y9Tx:q1fy49khbOvP968E/GATU9Z39t

Score

10^/10

glupteba dropper loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

resource	yara_rule
behavioral1/memory/3320-2-0x0000000002EF0000-0x00000000037DB000-memory.dmp	family_glupteba
behavioral1/memory/3320-3-0x0000000000400000-0x0000000000D64000-memory.dmp	family_glupteba
behavioral1/memory/3320-4-0x0000000000400000-0x0000000000D64000-memory.dmp	family_glupteba
behavioral1/memory/3320-26-0x0000000002EF0000-0x00000000037DB000-memory.dmp	family_glupteba
behavioral1/memory/3320-27-0x0000000000400000-0x0000000000D64000-memory.dmp	family_glupteba
behavioral1/memory/3320-32-0x0000000000400000-0x0000000000D64000-memory.dmp	family_glupteba
behavioral1/memory/3320-61-0x0000000000400000-0x0000000000D64000-memory.dmp	family_glupteba

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1432	powershell.exe
1432	powershell.exe
3320	d2afb83db20eac5df37c62e71a0dec52cd22ae5713164e9969efeff246c5d252.exe
3320	d2afb83db20eac5df37c62e71a0dec52cd22ae5713164e9969efeff246c5d252.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	3320	d2afb83db20eac5df37c62e71a0dec52cd22ae5713164e9969efeff246c5d252.exe
Token: SeImpersonatePrivilege	3320	d2afb83db20eac5df37c62e71a0dec52cd22ae5713164e9969efeff246c5d252.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 1432	3320	d2afb83db20eac5df37c62e71a0dec52cd22ae5713164e9969efeff246c5d252.exe	98
PID 3320 wrote to memory of 1432	3320	d2afb83db20eac5df37c62e71a0dec52cd22ae5713164e9969efeff246c5d252.exe	98
PID 3320 wrote to memory of 1432	3320	d2afb83db20eac5df37c62e71a0dec52cd22ae5713164e9969efeff246c5d252.exe	98

C:\Users\Admin\AppData\Local\Temp\d2afb83db20eac5df37c62e71a0dec52cd22ae5713164e9969efeff246c5d252.exe
"C:\Users\Admin\AppData\Local\Temp\d2afb83db20eac5df37c62e71a0dec52cd22ae5713164e9969efeff246c5d252.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Users\Admin\AppData\Local\Temp\d2afb83db20eac5df37c62e71a0dec52cd22ae5713164e9969efeff246c5d252.exe
  "C:\Users\Admin\AppData\Local\Temp\d2afb83db20eac5df37c62e71a0dec52cd22ae5713164e9969efeff246c5d252.exe"
  2⤵
  PID:3700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3gfizhrr.hah.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1432-29-0x0000000007AC0000-0x0000000007B36000-memory.dmp

Filesize
472KB

Download
memory/1432-47-0x0000000007CF0000-0x0000000007D0E000-memory.dmp

Filesize
120KB

Download
memory/1432-59-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/1432-5-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/1432-6-0x0000000003180000-0x00000000031B6000-memory.dmp

Filesize
216KB

Download
memory/1432-7-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1432-8-0x0000000005980000-0x0000000005FA8000-memory.dmp

Filesize
6.2MB

Download
memory/1432-9-0x00000000057B0000-0x00000000057D2000-memory.dmp

Filesize
136KB

Download
memory/1432-10-0x00000000060A0000-0x0000000006106000-memory.dmp

Filesize
408KB

Download
memory/1432-11-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/1432-17-0x0000000006180000-0x00000000064D4000-memory.dmp

Filesize
3.3MB

Download
memory/1432-56-0x0000000007EE0000-0x0000000007EE8000-memory.dmp

Filesize
32KB

Download
memory/1432-22-0x0000000006790000-0x00000000067AE000-memory.dmp

Filesize
120KB

Download
memory/1432-23-0x00000000067D0000-0x000000000681C000-memory.dmp

Filesize
304KB

Download
memory/1432-55-0x0000000007EF0000-0x0000000007F0A000-memory.dmp

Filesize
104KB

Download
memory/1432-25-0x0000000006CF0000-0x0000000006D34000-memory.dmp

Filesize
272KB

Download
memory/1432-54-0x0000000007EB0000-0x0000000007EC4000-memory.dmp

Filesize
80KB

Download
memory/1432-53-0x0000000007E90000-0x0000000007E9E000-memory.dmp

Filesize
56KB

Download
memory/1432-52-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1432-51-0x0000000007E50000-0x0000000007E61000-memory.dmp

Filesize
68KB

Download
memory/1432-35-0x0000000007D10000-0x0000000007D42000-memory.dmp

Filesize
200KB

Download
memory/1432-31-0x0000000007B60000-0x0000000007B7A000-memory.dmp

Filesize
104KB

Download
memory/1432-50-0x0000000007F50000-0x0000000007FE6000-memory.dmp

Filesize
600KB

Download
memory/1432-33-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/1432-34-0x000000007FAD0000-0x000000007FAE0000-memory.dmp

Filesize
64KB

Download
memory/1432-30-0x00000000081C0000-0x000000000883A000-memory.dmp

Filesize
6.5MB

Download
memory/1432-36-0x0000000070AB0000-0x0000000070AFC000-memory.dmp

Filesize
304KB

Download
memory/1432-37-0x0000000071230000-0x0000000071584000-memory.dmp

Filesize
3.3MB

Download
memory/1432-28-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1432-48-0x0000000007D50000-0x0000000007DF3000-memory.dmp

Filesize
652KB

Download
memory/1432-49-0x0000000007E40000-0x0000000007E4A000-memory.dmp

Filesize
40KB

Download
memory/3320-32-0x0000000000400000-0x0000000000D64000-memory.dmp

Filesize
9.4MB

Download
memory/3320-24-0x0000000002AF0000-0x0000000002EF0000-memory.dmp

Filesize
4.0MB

Download
memory/3320-3-0x0000000000400000-0x0000000000D64000-memory.dmp

Filesize
9.4MB

Download
memory/3320-27-0x0000000000400000-0x0000000000D64000-memory.dmp

Filesize
9.4MB

Download
memory/3320-26-0x0000000002EF0000-0x00000000037DB000-memory.dmp

Filesize
8.9MB

Download
memory/3320-1-0x0000000002AF0000-0x0000000002EF0000-memory.dmp

Filesize
4.0MB

Download
memory/3320-2-0x0000000002EF0000-0x00000000037DB000-memory.dmp

Filesize
8.9MB

Download
memory/3320-4-0x0000000000400000-0x0000000000D64000-memory.dmp

Filesize
9.4MB

Download
memory/3320-61-0x0000000000400000-0x0000000000D64000-memory.dmp

Filesize
9.4MB

Download