Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

JC_fe8d8c5...48.exe

windows7-x64

10

JC_fe8d8c5...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JC_fe8d8c528579d7bf0d15a929a85fc832bd4b1050188251ed07bdfb7f64c30748.exe

  • Size

    4.3MB

  • MD5

    8fd45a13d0b0fc1e73c1093bf5799c7f

  • SHA1

    4933562a034b06f6f867fe2f6fc131d8c99f0848

  • SHA256

    fe8d8c528579d7bf0d15a929a85fc832bd4b1050188251ed07bdfb7f64c30748

  • SHA512

    92792c37b12a998c7d722f07d33e150f660e27a4769763d3af701350681328c12297bcef5083d129d6480cb6b1df03133bd7548e8e9d9ecc6d6077c7678a1071

  • SSDEEP

    98304:o9ZVpR1RvsgcoZYa8LDryDHaWQvdJlvtcbYoRSm7fYPlmzngL6:E1Rvsgc2Yhr0aTlvmbqm7woB

Score
10/10
gluptebadropperevasionloaderpersistence

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 18 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JC_fe8d8c528579d7bf0d15a929a85fc832bd4b1050188251ed07bdfb7f64c30748.exe
    "C:\Users\Admin\AppData\Local\Temp\JC_fe8d8c528579d7bf0d15a929a85fc832bd4b1050188251ed07bdfb7f64c30748.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:520
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4360
    • C:\Users\Admin\AppData\Local\Temp\JC_fe8d8c528579d7bf0d15a929a85fc832bd4b1050188251ed07bdfb7f64c30748.exe
      "C:\Users\Admin\AppData\Local\Temp\JC_fe8d8c528579d7bf0d15a929a85fc832bd4b1050188251ed07bdfb7f64c30748.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4400
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4216
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3412
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1628
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2836
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        PID:4556
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
            PID:1480
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:380
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /tn ScheduledUpdate /f
            4⤵
              PID:3396
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              4⤵
                PID:488
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                4⤵
                  PID:3828
                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                  4⤵
                    PID:404

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hycei1jj.vp3.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              Filesize

              281KB

              MD5

              d98e33b66343e7c96158444127a117f6

              SHA1

              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

              SHA256

              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

              SHA512

              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              Filesize

              281KB

              MD5

              d98e33b66343e7c96158444127a117f6

              SHA1

              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

              SHA256

              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

              SHA512

              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              968cb9309758126772781b83adb8a28f

              SHA1

              8da30e71accf186b2ba11da1797cf67f8f78b47c

              SHA256

              92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

              SHA512

              4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              dcbddf1aaa0d57c09aba065299082cf4

              SHA1

              eec006db9c96ae81c9f8ac54df8278b1b7ba521e

              SHA256

              c7ac036e08cc5c1bd5a116a269fc68da30ca04ae8a27eaca29debdf7c8e70fce

              SHA512

              3973fb6c0c8d6f303856fa571f8886e44cd9633ed4f19f8ccd54f1bf5a17bcad1054cbbef9be39730e271f79a41c8b7a2d6201359f523858e2b716fc8a364e24

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              e1ae4f000c5231c69b258acf09b86cff

              SHA1

              635cdb33466d0bbcc67dde0b02a31e4022d4a289

              SHA256

              cb70fb1df4bf1412fd8b443548cc2f1fc5b254487ede7b1bdd2c374a7e582698

              SHA512

              fb49c609ee95fe2ed4f8e6a36e8bab0ef958651fe0e208124f52a534706074ce8c15875ed5f3205ca48f942435a6708a240a711dc96d37e8b588c447fa8fd7db

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              1126bbbc2f75b78f798154e49b18df74

              SHA1

              37ebb7c3f988e8aa08d9eab518fde1e1f9ec5514

              SHA256

              c5b67a2f637c9381eacdc4755169d1199956ade9884cb1779292c1eab42555c9

              SHA512

              1ae10171c6c6df28546caa994f3c23c5f85baa7589dcfaff01880032645846067b8f2651f23fb6a8649f70572daa55942686fb0ebc338d8acbb891dc56c35f4c

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              6652a922fd395d4f97f3b249fd190fa3

              SHA1

              6bb0c072646372d06a753dfa9ce1519129c7659b

              SHA256

              001e2796b48773e4d824e8f463bbb54424a942b6f5715591a0bc8927d334ece9

              SHA512

              2007fa24efc13d5f4ad9ba73b54d4a4a2dea0a67b82c764029a8d8ac2897bc5dca5e82a92339161dafd2264c5968699083a740dd45595129e4e579cce488cfff

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              872aab7e73b76b345ac4c145b30649b5

              SHA1

              8355062558002b5fed910e5b0fd26faec8be3269

              SHA256

              c0a4c9387a986958922e7ce05ff9e13a9c6a32f27c75ec22265ff1b7165b364f

              SHA512

              17481571bdcc8fed6fd23b6b6601b7f1d331fcc8ea1ebd9bb45f3aff99b8ce1aa0f87f4061c3f64fccccb5143ef3f53f3c0a8dbc22b99f04847212366e122b1c

              Download Submit

            • C:\Windows\rss\csrss.exe
              Filesize

              4.3MB

              MD5

              8fd45a13d0b0fc1e73c1093bf5799c7f

              SHA1

              4933562a034b06f6f867fe2f6fc131d8c99f0848

              SHA256

              fe8d8c528579d7bf0d15a929a85fc832bd4b1050188251ed07bdfb7f64c30748

              SHA512

              92792c37b12a998c7d722f07d33e150f660e27a4769763d3af701350681328c12297bcef5083d129d6480cb6b1df03133bd7548e8e9d9ecc6d6077c7678a1071

              Download Submit

            • C:\Windows\rss\csrss.exe
              Filesize

              4.3MB

              MD5

              8fd45a13d0b0fc1e73c1093bf5799c7f

              SHA1

              4933562a034b06f6f867fe2f6fc131d8c99f0848

              SHA256

              fe8d8c528579d7bf0d15a929a85fc832bd4b1050188251ed07bdfb7f64c30748

              SHA512

              92792c37b12a998c7d722f07d33e150f660e27a4769763d3af701350681328c12297bcef5083d129d6480cb6b1df03133bd7548e8e9d9ecc6d6077c7678a1071

              Download Submit

            • memory/520-4-0x00000000046B0000-0x0000000004AA8000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/520-5-0x0000000004AB0000-0x000000000539B000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/520-6-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download

            • memory/520-33-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download

            • memory/520-7-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download

            • memory/520-3-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download

            • memory/520-60-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download

            • memory/520-2-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download

            • memory/520-0-0x00000000046B0000-0x0000000004AA8000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/520-1-0x0000000004AB0000-0x000000000539B000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/2836-134-0x0000000005030000-0x0000000005040000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2836-133-0x0000000074D10000-0x00000000754C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2844-119-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/2844-117-0x0000000002A90000-0x0000000002AA0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2844-118-0x000000007F230000-0x000000007F240000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2844-131-0x0000000074D10000-0x00000000754C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2844-106-0x0000000002A90000-0x0000000002AA0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2844-105-0x0000000002A90000-0x0000000002AA0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2844-104-0x0000000074D10000-0x00000000754C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2844-120-0x0000000070D30000-0x0000000071084000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4216-96-0x0000000007920000-0x0000000007931000-memory.dmp

              Filesize

              68KB

              Download

            • memory/4216-98-0x0000000002D90000-0x0000000002DA0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4216-97-0x0000000007970000-0x0000000007984000-memory.dmp

              Filesize

              80KB

              Download

            • memory/4216-101-0x0000000074D10000-0x00000000754C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4216-94-0x0000000007600000-0x00000000076A3000-memory.dmp

              Filesize

              652KB

              Download

            • memory/4216-93-0x0000000074D10000-0x00000000754C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4216-83-0x0000000070D30000-0x0000000071084000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4216-82-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4216-81-0x0000000002D90000-0x0000000002DA0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4216-78-0x0000000005E80000-0x00000000061D4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4216-67-0x0000000002D90000-0x0000000002DA0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4216-66-0x0000000074D10000-0x00000000754C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4216-68-0x0000000002D90000-0x0000000002DA0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4360-29-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4360-35-0x00000000076E0000-0x0000000007712000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4360-8-0x0000000004B60000-0x0000000004B96000-memory.dmp

              Filesize

              216KB

              Download

            • memory/4360-9-0x0000000074D10000-0x00000000754C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4360-10-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4360-59-0x0000000074D10000-0x00000000754C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4360-57-0x0000000007980000-0x0000000007988000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4360-11-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4360-56-0x0000000007990000-0x00000000079AA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4360-55-0x00000000078A0000-0x00000000078B4000-memory.dmp

              Filesize

              80KB

              Download

            • memory/4360-54-0x0000000007890000-0x000000000789E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4360-53-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4360-52-0x0000000074D10000-0x00000000754C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4360-51-0x0000000007850000-0x0000000007861000-memory.dmp

              Filesize

              68KB

              Download

            • memory/4360-12-0x0000000005310000-0x0000000005938000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4360-50-0x00000000078D0000-0x0000000007966000-memory.dmp

              Filesize

              600KB

              Download

            • memory/4360-49-0x0000000007810000-0x000000000781A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4360-48-0x0000000007720000-0x00000000077C3000-memory.dmp

              Filesize

              652KB

              Download

            • memory/4360-47-0x00000000076C0000-0x00000000076DE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4360-37-0x0000000070F80000-0x00000000712D4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4360-36-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4360-13-0x0000000005190000-0x00000000051B2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4360-34-0x000000007EF40000-0x000000007EF50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4360-32-0x0000000007530000-0x000000000754A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4360-31-0x0000000007B90000-0x000000000820A000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/4360-30-0x0000000007490000-0x0000000007506000-memory.dmp

              Filesize

              472KB

              Download

            • memory/4360-28-0x0000000006710000-0x0000000006754000-memory.dmp

              Filesize

              272KB

              Download

            • memory/4360-27-0x00000000061A0000-0x00000000061EC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4360-14-0x00000000059B0000-0x0000000005A16000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4360-26-0x0000000006160000-0x000000000617E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4360-25-0x0000000005B10000-0x0000000005E64000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4360-15-0x0000000005A20000-0x0000000005A86000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4400-132-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download

            • memory/4400-64-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download

            • memory/4400-164-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download

            • memory/4400-95-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download

            • memory/4400-80-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download

            • memory/4400-62-0x00000000044F0000-0x00000000048E8000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/4400-63-0x00000000048F0000-0x00000000051DB000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/4400-65-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download

            • memory/4556-169-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download

            • memory/4556-200-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download

            • memory/4556-235-0x0000000000400000-0x0000000002833000-memory.dmp

              Filesize

              36.2MB

              Download