glupteba | 13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9

Analysis

max time kernel
137s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
11/10/2023, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
Size

4.1MB
MD5

356b82b0bafb63bfac97e41dba4c4e47
SHA1

ed9b25e91addc6e53577b14f856bbb510a52e84c
SHA256

13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9
SHA512

0092ae67af131bef7165390ce8a25973c45688d88c797e604379aa844dfa732888a86520a972e05d98a02b04c763ea12af866d5d1c27c640df02c7468ac85e2c
SSDEEP

98304:F6kgPXrnj7pDKwxOJfg0HzNjlNlz+ZwVCpwi5XlbrScpsVXX32x:sLzn/pDnwfZrH+yVUJmDVGx

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

resource	yara_rule
behavioral1/memory/2784-2-0x0000000004FF0000-0x00000000058DB000-memory.dmp	family_glupteba
behavioral1/memory/2784-3-0x0000000000400000-0x0000000002FB4000-memory.dmp	family_glupteba
behavioral1/memory/2784-16-0x0000000000400000-0x0000000002FB4000-memory.dmp	family_glupteba
behavioral1/memory/2784-153-0x0000000004FF0000-0x00000000058DB000-memory.dmp	family_glupteba
behavioral1/memory/2784-297-0x0000000000400000-0x0000000002FB4000-memory.dmp	family_glupteba
behavioral1/memory/2784-304-0x0000000000400000-0x0000000002FB4000-memory.dmp	family_glupteba
behavioral1/memory/1988-307-0x0000000004F70000-0x000000000585B000-memory.dmp	family_glupteba
behavioral1/memory/1988-310-0x0000000000400000-0x0000000002FB4000-memory.dmp	family_glupteba
behavioral1/memory/1988-314-0x0000000000400000-0x0000000002FB4000-memory.dmp	family_glupteba
behavioral1/memory/1988-561-0x0000000000400000-0x0000000002FB4000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
5028	netsh.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
2784	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
2784	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	2784	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
Token: SeImpersonatePrivilege	2784	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 4980	2784	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe	71
PID 2784 wrote to memory of 4980	2784	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe	71
PID 2784 wrote to memory of 4980	2784	13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe	71

C:\Users\Admin\AppData\Local\Temp\13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
"C:\Users\Admin\AppData\Local\Temp\13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Users\Admin\AppData\Local\Temp\13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe
  "C:\Users\Admin\AppData\Local\Temp\13e88374a7ad1bd15f516944c19c0b0c1df931e8ae7bdc0de86f5c57d8f61ca9.exe"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:4924
- - C:\Windows\System32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:5032
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:5028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x25cnkz2.lae.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
4a0007b210d63b55f30ea2dc7b52969a

SHA1
92a4c7586832606999811d4fdfb03c2e2d639284

SHA256
bf098e8a063b7657b6cffeb8522fd0caded9346e78039cdfdcc63577caeef017

SHA512
05ec5964e649c92033b1f0ca3385f64d84d5a5c71b683ff2a0b32e34dc83ff68ed21a7802adf21a71325637ed4722828e2cea55f9f08e610f0618764e8da15eb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
e2c3cb14a91ecdb791f0c06179e8e9fa

SHA1
67cf6fa2e702ca0ac06809d848b634c0d19e3699

SHA256
460364220a25566cb45910e2cc1be3135c778e14523142e414ba4263cc520ab8

SHA512
cd7deae605b240bb0864913c62daa8526861192819a2fea64bb8f4c62451b37bbe5be9ae607341ad37278636ce89a1bd3d6cf9fcf352547d9ffadde0be4f5c73

Download Submit
memory/1988-801-0x0000000000400000-0x0000000002FB4000-memory.dmp

Filesize
43.7MB

Download
memory/1988-555-0x0000000004B70000-0x0000000004F70000-memory.dmp

Filesize
4.0MB

Download
memory/1988-306-0x0000000004B70000-0x0000000004F70000-memory.dmp

Filesize
4.0MB

Download
memory/1988-307-0x0000000004F70000-0x000000000585B000-memory.dmp

Filesize
8.9MB

Download
memory/1988-310-0x0000000000400000-0x0000000002FB4000-memory.dmp

Filesize
43.7MB

Download
memory/1988-314-0x0000000000400000-0x0000000002FB4000-memory.dmp

Filesize
43.7MB

Download
memory/1988-561-0x0000000000400000-0x0000000002FB4000-memory.dmp

Filesize
43.7MB

Download
memory/2784-297-0x0000000000400000-0x0000000002FB4000-memory.dmp

Filesize
43.7MB

Download
memory/2784-16-0x0000000000400000-0x0000000002FB4000-memory.dmp

Filesize
43.7MB

Download
memory/2784-3-0x0000000000400000-0x0000000002FB4000-memory.dmp

Filesize
43.7MB

Download
memory/2784-304-0x0000000000400000-0x0000000002FB4000-memory.dmp

Filesize
43.7MB

Download
memory/2784-153-0x0000000004FF0000-0x00000000058DB000-memory.dmp

Filesize
8.9MB

Download
memory/2784-73-0x0000000004BE0000-0x0000000004FE4000-memory.dmp

Filesize
4.0MB

Download
memory/2784-2-0x0000000004FF0000-0x00000000058DB000-memory.dmp

Filesize
8.9MB

Download
memory/2784-1-0x0000000004BE0000-0x0000000004FE4000-memory.dmp

Filesize
4.0MB

Download
memory/3912-806-0x00000000067E0000-0x00000000067F0000-memory.dmp

Filesize
64KB

Download
memory/3912-804-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/3912-805-0x00000000067E0000-0x00000000067F0000-memory.dmp

Filesize
64KB

Download
memory/4660-582-0x0000000070B50000-0x0000000070EA0000-memory.dmp

Filesize
3.3MB

Download
memory/4660-800-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/4660-587-0x00000000068B0000-0x00000000068C0000-memory.dmp

Filesize
64KB

Download
memory/4660-559-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/4660-560-0x0000000007520000-0x0000000007870000-memory.dmp

Filesize
3.3MB

Download
memory/4660-581-0x0000000070AE0000-0x0000000070B2B000-memory.dmp

Filesize
300KB

Download
memory/4924-340-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/4924-554-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/4924-339-0x0000000009870000-0x0000000009915000-memory.dmp

Filesize
660KB

Download
memory/4924-334-0x0000000070B30000-0x0000000070E80000-memory.dmp

Filesize
3.3MB

Download
memory/4924-333-0x0000000070AE0000-0x0000000070B2B000-memory.dmp

Filesize
300KB

Download
memory/4924-313-0x00000000088A0000-0x00000000088EB000-memory.dmp

Filesize
300KB

Download
memory/4924-312-0x0000000007F80000-0x00000000082D0000-memory.dmp

Filesize
3.3MB

Download
memory/4924-311-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/4980-74-0x00000000099E0000-0x0000000009A13000-memory.dmp

Filesize
204KB

Download
memory/4980-76-0x0000000070A10000-0x0000000070D60000-memory.dmp

Filesize
3.3MB

Download
memory/4980-82-0x0000000009A20000-0x0000000009AC5000-memory.dmp

Filesize
660KB

Download
memory/4980-278-0x0000000009BA0000-0x0000000009BBA000-memory.dmp

Filesize
104KB

Download
memory/4980-283-0x0000000009B90000-0x0000000009B98000-memory.dmp

Filesize
32KB

Download
memory/4980-303-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/4980-77-0x00000000099C0000-0x00000000099DE000-memory.dmp

Filesize
120KB

Download
memory/4980-35-0x0000000008B20000-0x0000000008B5C000-memory.dmp

Filesize
240KB

Download
memory/4980-66-0x0000000008BE0000-0x0000000008C56000-memory.dmp

Filesize
472KB

Download
memory/4980-75-0x00000000709C0000-0x0000000070A0B000-memory.dmp

Filesize
300KB

Download
memory/4980-84-0x0000000009C20000-0x0000000009CB4000-memory.dmp

Filesize
592KB

Download
memory/4980-83-0x0000000001130000-0x0000000001140000-memory.dmp

Filesize
64KB

Download
memory/4980-301-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/4980-15-0x0000000007F70000-0x0000000007FBB000-memory.dmp

Filesize
300KB

Download
memory/4980-14-0x0000000007A50000-0x0000000007A6C000-memory.dmp

Filesize
112KB

Download
memory/4980-13-0x0000000007700000-0x0000000007A50000-memory.dmp

Filesize
3.3MB

Download
memory/4980-12-0x0000000007690000-0x00000000076F6000-memory.dmp

Filesize
408KB

Download
memory/4980-11-0x0000000006D50000-0x0000000006DB6000-memory.dmp

Filesize
408KB

Download
memory/4980-10-0x0000000006BB0000-0x0000000006BD2000-memory.dmp

Filesize
136KB

Download
memory/4980-9-0x0000000006EF0000-0x0000000007518000-memory.dmp

Filesize
6.2MB

Download
memory/4980-7-0x0000000001140000-0x0000000001176000-memory.dmp

Filesize
216KB

Download
memory/4980-8-0x0000000001130000-0x0000000001140000-memory.dmp

Filesize
64KB

Download
memory/4980-6-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download