Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    34s
  • max time network
    57s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2023, 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e260a1566b80fbe5e546c08d0ee2229f383d4c4beb85a45a0a8978c52a0fdf25.exe

  • Size

    4.2MB

  • MD5

    9a4282a1c46ea395d0f593c470e159de

  • SHA1

    df0baae1f470902210d765efbe93d180ce9567c1

  • SHA256

    e260a1566b80fbe5e546c08d0ee2229f383d4c4beb85a45a0a8978c52a0fdf25

  • SHA512

    75a7d987f8a64215e404e67d4ddacb46922b7cee91773c76faf203135d905c2268d17fd839af0de747b0120974fd33df2b11eb0cf25c7818a181196750ad6472

  • SSDEEP

    98304:1+040w4TjOwb/q8r4bwkYM/AG5gNGHGIfsaLHC1VDUfZzKfG4h4vz:OaF/qKkYM/D+NGmsDLHC4f0/E

Score
10/10
gluptebadropperevasionloader

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 11 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops file in System32 directory 2 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e260a1566b80fbe5e546c08d0ee2229f383d4c4beb85a45a0a8978c52a0fdf25.exe
    "C:\Users\Admin\AppData\Local\Temp\e260a1566b80fbe5e546c08d0ee2229f383d4c4beb85a45a0a8978c52a0fdf25.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2420
    • C:\Users\Admin\AppData\Local\Temp\e260a1566b80fbe5e546c08d0ee2229f383d4c4beb85a45a0a8978c52a0fdf25.exe
      "C:\Users\Admin\AppData\Local\Temp\e260a1566b80fbe5e546c08d0ee2229f383d4c4beb85a45a0a8978c52a0fdf25.exe"
      2⤵
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1012
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1604
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1752
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4820
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
          PID:3364
        • C:\Windows\rss\csrss.exe
          C:\Windows\rss\csrss.exe
          3⤵
            PID:2144
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              4⤵
                PID:3588
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                4⤵
                • Creates scheduled task(s)
                PID:1956
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /delete /tn ScheduledUpdate /f
                4⤵
                  PID:3532
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                    PID:4420

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rp4syush.bhb.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              968cb9309758126772781b83adb8a28f

              SHA1

              8da30e71accf186b2ba11da1797cf67f8f78b47c

              SHA256

              92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

              SHA512

              4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              204837c0f41a522004bf3c425afe9dc9

              SHA1

              23a002a73191ea3c2dc4c1aaa0e29e7f3cedae53

              SHA256

              497af58db0f6ea8d71623efa45f443f4a845d741e036e26133618237c036eb46

              SHA512

              7fa80b81522ac11b2af098019f52cdb372a6a7d64f3a4a00917587da8cb956b68a3ae10c54e12058bd3253ee599466af70f81fb986913ce40b1d577242cbaa73

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              10ec2ef3a07a163fa1b74c582348560d

              SHA1

              bb80e1ae173fd410f01567aaace53e1c2419a2ae

              SHA256

              f5d7399fe5855c03ac8296ec410a2e3cdde005248c90e4b9beee5c601ff62d59

              SHA512

              c71083c90d32998d66992a3bd29d70ba874f0013a9c8e2431c3d386760a442293340813befab64bf1f823d71d95f8f698bf7abe2e0d0c83e21a166b1a4eac694

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              4ebd7094db149c1ab48ad708162d08b3

              SHA1

              9c68f247b71e19314f8338c633c78c393fe0ee4d

              SHA256

              999ee283e88f3c859b139c12b69bd4bb8f12160d04702f49cd53cb51e2f6a85b

              SHA512

              b8847a406b525f23bf0ba1dee6e380fc8aa27bb45cfa3f31ef3b45c16879cdaa6612a4fb7563e29efdbb58954cb7180d6d09f9a9cd2d1191cdbe473458b23bcb

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              8855da7ac77a90fcf9d7e9746ad5f6ea

              SHA1

              289cad0774a9c4dc7889c6091b639cf70427fb77

              SHA256

              a6074f4cd48dd4fefe91a1173ccb8aaa8c173161a360197a9b9d991f01e3b1dd

              SHA512

              a545ce9973e243c5378dda29c3c1409b3ef73b2f7638330a5edf61c942377d1c340cb58b360c7e11c0e2d32be67f3a3809da4a4a26ceb093af596c4ca5be39fe

              Download Submit

            • C:\Windows\rss\csrss.exe
              Filesize

              4.2MB

              MD5

              9a4282a1c46ea395d0f593c470e159de

              SHA1

              df0baae1f470902210d765efbe93d180ce9567c1

              SHA256

              e260a1566b80fbe5e546c08d0ee2229f383d4c4beb85a45a0a8978c52a0fdf25

              SHA512

              75a7d987f8a64215e404e67d4ddacb46922b7cee91773c76faf203135d905c2268d17fd839af0de747b0120974fd33df2b11eb0cf25c7818a181196750ad6472

              Download Submit

            • C:\Windows\rss\csrss.exe
              Filesize

              4.2MB

              MD5

              9a4282a1c46ea395d0f593c470e159de

              SHA1

              df0baae1f470902210d765efbe93d180ce9567c1

              SHA256

              e260a1566b80fbe5e546c08d0ee2229f383d4c4beb85a45a0a8978c52a0fdf25

              SHA512

              75a7d987f8a64215e404e67d4ddacb46922b7cee91773c76faf203135d905c2268d17fd839af0de747b0120974fd33df2b11eb0cf25c7818a181196750ad6472

              Download Submit

            • memory/1012-62-0x0000000074D70000-0x0000000075520000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1012-91-0x0000000007040000-0x0000000007051000-memory.dmp

              Filesize

              68KB

              Download

            • memory/1012-63-0x0000000004600000-0x0000000004610000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1012-99-0x0000000074D70000-0x0000000075520000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1012-96-0x0000000004600000-0x0000000004610000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1012-95-0x0000000004600000-0x0000000004610000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1012-64-0x0000000004600000-0x0000000004610000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1012-65-0x00000000054B0000-0x0000000005804000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1012-79-0x0000000070C10000-0x0000000070C5C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1012-93-0x0000000074D70000-0x0000000075520000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1012-94-0x0000000006CD0000-0x0000000006CE4000-memory.dmp

              Filesize

              80KB

              Download

            • memory/1012-75-0x0000000004600000-0x0000000004610000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1012-90-0x0000000006D50000-0x0000000006DF3000-memory.dmp

              Filesize

              652KB

              Download

            • memory/1012-78-0x000000007F390000-0x000000007F3A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1012-80-0x0000000071390000-0x00000000716E4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1352-23-0x0000000004350000-0x0000000004752000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/1352-30-0x0000000000400000-0x0000000002670000-memory.dmp

              Filesize

              34.4MB

              Download

            • memory/1352-76-0x0000000000400000-0x0000000002670000-memory.dmp

              Filesize

              34.4MB

              Download

            • memory/1352-1-0x0000000004350000-0x0000000004752000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/1352-25-0x0000000004760000-0x000000000504B000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/1352-3-0x0000000000400000-0x0000000002670000-memory.dmp

              Filesize

              34.4MB

              Download

            • memory/1352-2-0x0000000004760000-0x000000000504B000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/1352-47-0x0000000000400000-0x0000000002670000-memory.dmp

              Filesize

              34.4MB

              Download

            • memory/2420-28-0x0000000008340000-0x00000000089BA000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/2420-45-0x0000000007EE0000-0x0000000007F83000-memory.dmp

              Filesize

              652KB

              Download

            • memory/2420-51-0x0000000008030000-0x000000000803E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2420-52-0x0000000008040000-0x0000000008054000-memory.dmp

              Filesize

              80KB

              Download

            • memory/2420-53-0x0000000008130000-0x000000000814A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2420-54-0x0000000008070000-0x0000000008078000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2420-55-0x0000000005350000-0x0000000005360000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2420-57-0x0000000074D70000-0x0000000075520000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2420-4-0x0000000074D70000-0x0000000075520000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2420-5-0x0000000005360000-0x0000000005396000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2420-6-0x0000000005350000-0x0000000005360000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2420-49-0x0000000074D70000-0x0000000075520000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2420-48-0x0000000008090000-0x0000000008126000-memory.dmp

              Filesize

              600KB

              Download

            • memory/2420-46-0x0000000007FD0000-0x0000000007FDA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2420-34-0x0000000070FF0000-0x0000000071344000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2420-9-0x0000000006170000-0x00000000061D6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2420-44-0x0000000007E80000-0x0000000007E9E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2420-7-0x00000000059D0000-0x0000000005FF8000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/2420-33-0x0000000070C10000-0x0000000070C5C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/2420-32-0x0000000007EA0000-0x0000000007ED2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/2420-31-0x000000007FCF0000-0x000000007FD00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2420-29-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2420-27-0x0000000007C40000-0x0000000007CB6000-memory.dmp

              Filesize

              472KB

              Download

            • memory/2420-50-0x0000000007FF0000-0x0000000008001000-memory.dmp

              Filesize

              68KB

              Download

            • memory/2420-26-0x0000000005350000-0x0000000005360000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2420-24-0x0000000006ED0000-0x0000000006F14000-memory.dmp

              Filesize

              272KB

              Download

            • memory/2420-22-0x0000000006950000-0x000000000699C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/2420-21-0x0000000006930000-0x000000000694E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2420-20-0x00000000062D0000-0x0000000006624000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2420-10-0x00000000061E0000-0x0000000006246000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2420-8-0x0000000005940000-0x0000000005962000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3364-129-0x0000000074D70000-0x0000000075520000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3852-92-0x0000000000400000-0x0000000002670000-memory.dmp

              Filesize

              34.4MB

              Download

            • memory/3852-142-0x0000000000400000-0x0000000002670000-memory.dmp

              Filesize

              34.4MB

              Download

            • memory/3852-59-0x0000000004370000-0x0000000004771000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/3852-60-0x0000000004780000-0x000000000506B000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/3852-162-0x0000000000400000-0x0000000002670000-memory.dmp

              Filesize

              34.4MB

              Download

            • memory/3852-61-0x0000000000400000-0x0000000002670000-memory.dmp

              Filesize

              34.4MB

              Download

            • memory/3852-77-0x0000000004370000-0x0000000004771000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/4820-117-0x0000000071390000-0x00000000716E4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4820-101-0x0000000074D70000-0x0000000075520000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4820-102-0x0000000004D00000-0x0000000004D10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4820-128-0x0000000074D70000-0x0000000075520000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4820-103-0x0000000004D00000-0x0000000004D10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4820-116-0x0000000070C10000-0x0000000070C5C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4820-115-0x0000000004D00000-0x0000000004D10000-memory.dmp

              Filesize

              64KB

              Download