Overview

overview

10

Static

static

1

NEAS.8a982...JC.exe

windows7-x64

10

NEAS.8a982...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2023 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.8a982492fe64b7fb1e537dfbe682c7e763a348473d7d08c14214f3f72dad98b4_JC.exe

  • Size

    4.1MB

  • MD5

    1b4f479e5cd849d85ff54b8989b8b8d0

  • SHA1

    e5a9853674ffcd98b22428fe5da4899873b95202

  • SHA256

    8a982492fe64b7fb1e537dfbe682c7e763a348473d7d08c14214f3f72dad98b4

  • SHA512

    1c00c2d70c0d5c4faa818e53767dd2aa0e3174e05e365572cdf26885596d7d2b8c3411609e1e00f57b158c0aeeb2d3345cba8c5a0a8b96feeaf442b7912a1848

  • SSDEEP

    98304:camsPbfgeODcUDk3hEhne5DAyoXex99ubQtvFQG396pdFlaaoL:cIs9DmGhgDAQD9ustvFB6/FAaY

Score
10/10
gluptebadropperevasionloader

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 15 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops file in System32 directory 2 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.8a982492fe64b7fb1e537dfbe682c7e763a348473d7d08c14214f3f72dad98b4_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.8a982492fe64b7fb1e537dfbe682c7e763a348473d7d08c14214f3f72dad98b4_JC.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4904
    • C:\Users\Admin\AppData\Local\Temp\NEAS.8a982492fe64b7fb1e537dfbe682c7e763a348473d7d08c14214f3f72dad98b4_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.8a982492fe64b7fb1e537dfbe682c7e763a348473d7d08c14214f3f72dad98b4_JC.exe"
      2⤵
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3232
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4544
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:4768
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4316
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 744
      2⤵
      • Program crash
      PID:1516
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2784 -ip 2784
    1⤵
      PID:336

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gzwectqm.dxq.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      0926f1dd5114089cc631e5081184c2ca

      SHA1

      83db1e87c4cc4a28e5a56e0b80c0ef4de119a7b7

      SHA256

      d8105d402183a653f37422d3b60adb7cd6d06611cb1cb23a74a0c8b864d94bc2

      SHA512

      d349b524665e24773f81a0568e39f4f6cdf76bf49a9656dbb1809e619ffb9a08c4d1292e45ad4eef364069dfc662d811c223ca21785a9fd8864f67479045ac1c

      Download Submit

    • memory/1904-72-0x0000000005310000-0x0000000005BFB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/1904-114-0x0000000000400000-0x0000000002FB5000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/1904-104-0x0000000000400000-0x0000000002FB5000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/1904-89-0x0000000004F00000-0x0000000005304000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1904-115-0x0000000000400000-0x0000000002FB5000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/1904-74-0x0000000000400000-0x0000000002FB5000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/1904-71-0x0000000004F00000-0x0000000005304000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1904-73-0x0000000000400000-0x0000000002FB5000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2784-36-0x0000000000400000-0x0000000002FB5000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2784-4-0x0000000000400000-0x0000000002FB5000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2784-3-0x0000000000400000-0x0000000002FB5000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2784-68-0x0000000000400000-0x0000000002FB5000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2784-2-0x00000000052E0000-0x0000000005BCB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/2784-5-0x0000000004EE0000-0x00000000052DD000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2784-55-0x0000000000400000-0x0000000002FB5000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2784-1-0x0000000004EE0000-0x00000000052DD000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2784-7-0x0000000000400000-0x0000000002FB5000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2784-70-0x0000000000400000-0x0000000002FB5000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2784-6-0x00000000052E0000-0x0000000005BCB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/3232-90-0x0000000002F80000-0x0000000002F90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3232-106-0x00000000746B0000-0x0000000074E60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3232-105-0x00000000079D0000-0x00000000079E1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3232-107-0x0000000002F80000-0x0000000002F90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3232-103-0x00000000076B0000-0x0000000007753000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3232-93-0x0000000070CD0000-0x0000000071024000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3232-92-0x00000000705B0000-0x00000000705FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3232-91-0x000000007F8E0000-0x000000007F8F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3232-109-0x0000000002F80000-0x0000000002F90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3232-110-0x0000000007A40000-0x0000000007A54000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3232-88-0x0000000006530000-0x000000000657C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3232-113-0x00000000746B0000-0x0000000074E60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3232-87-0x0000000005E50000-0x00000000061A4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3232-77-0x0000000002F80000-0x0000000002F90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3232-76-0x0000000002F80000-0x0000000002F90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3232-75-0x00000000746B0000-0x0000000074E60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4316-117-0x00000000746B0000-0x0000000074E60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4316-118-0x00000000032A0000-0x00000000032B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4316-119-0x00000000032A0000-0x00000000032B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4316-129-0x0000000006400000-0x0000000006754000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4316-131-0x00000000032A0000-0x00000000032B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4904-29-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4904-67-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4904-65-0x0000000007F50000-0x0000000007F58000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4904-64-0x0000000007F60000-0x0000000007F7A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4904-63-0x0000000007E80000-0x0000000007E94000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4904-62-0x0000000007B40000-0x0000000007B4E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4904-61-0x0000000007B00000-0x0000000007B11000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4904-59-0x0000000007EA0000-0x0000000007F36000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4904-56-0x0000000007DF0000-0x0000000007DFA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4904-54-0x0000000007D00000-0x0000000007DA3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4904-53-0x0000000007CA0000-0x0000000007CBE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4904-43-0x0000000070630000-0x0000000070984000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4904-42-0x00000000704B0000-0x00000000704FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4904-41-0x0000000007CC0000-0x0000000007CF2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4904-40-0x000000007FDF0000-0x000000007FE00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4904-39-0x0000000005270000-0x0000000005280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4904-38-0x0000000007670000-0x000000000768A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4904-37-0x0000000008150000-0x00000000087CA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4904-35-0x0000000007A50000-0x0000000007AC6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4904-34-0x0000000005270000-0x0000000005280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4904-33-0x0000000006B30000-0x0000000006B74000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4904-30-0x0000000005270000-0x0000000005280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4904-27-0x0000000006660000-0x00000000066AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4904-26-0x0000000006620000-0x000000000663E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4904-25-0x0000000006180000-0x00000000064D4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4904-20-0x0000000005EE0000-0x0000000005F46000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4904-14-0x0000000005790000-0x00000000057F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4904-13-0x00000000055A0000-0x00000000055C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4904-12-0x00000000058B0000-0x0000000005ED8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4904-10-0x0000000005270000-0x0000000005280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4904-11-0x0000000002F90000-0x0000000002FC6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4904-9-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download