glupteba | e76bb9f1cc2868712a09b19554a2266393eb39477fa1d0867b3838475b9f0000

Analysis

max time kernel
22s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 02:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JC_e76bb9f1cc2868712a09b19554a2266393eb39477fa1d0867b3838475b9f0000.exe
Size

4.2MB
MD5

a19dc53f48ae95c2586c937c63ae65ef
SHA1

334b77856c3b714657a50f95a06a3ec547ac326a
SHA256

e76bb9f1cc2868712a09b19554a2266393eb39477fa1d0867b3838475b9f0000
SHA512

96b9ed16ada17a96a7309609e053698fe97dba9f82e7c0fc17e8cd4ea2e362a8c57bce5e7faa6f8fbbc409f50affe21d04ceb1284395893ce0b864ae90be9db0
SSDEEP

98304:Gyk9VTj2PayXErp5VUtL5ewbuJLDtQjrUmXxgSc:fejEayUxeHuJLDtQn3XxE

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 4 IoCs

resource	yara_rule
behavioral1/memory/2692-1-0x00000000044B0000-0x0000000004D9B000-memory.dmp	family_glupteba
behavioral1/memory/2692-3-0x0000000000400000-0x0000000002828000-memory.dmp	family_glupteba
behavioral1/memory/2756-107-0x0000000000400000-0x0000000002828000-memory.dmp	family_glupteba
behavioral1/memory/2756-108-0x0000000000400000-0x0000000002828000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2436	netsh.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000004ed7-137.dat	upx
behavioral1/memory/2408-138-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-139.dat	upx
behavioral1/files/0x0005000000004ed7-140.dat	upx
behavioral1/memory/2408-142-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1760-141-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1760-144-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1760-148-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x0005000000005b97-156.dat	upx
behavioral1/files/0x0005000000005b97-158.dat	upx
behavioral1/files/0x0005000000005b97-154.dat	upx
behavioral1/files/0x0005000000005b97-152.dat	upx
behavioral1/memory/2756-159-0x000000002FA30000-0x0000000030255000-memory.dmp	upx
behavioral1/memory/984-160-0x0000000000400000-0x0000000000C25000-memory.dmp	upx
behavioral1/memory/1760-163-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/984-164-0x0000000000400000-0x0000000000C25000-memory.dmp	upx
behavioral1/memory/984-168-0x0000000000400000-0x0000000000C25000-memory.dmp	upx

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
1620	bcdedit.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2028	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
288	schtasks.exe
2416	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\JC_e76bb9f1cc2868712a09b19554a2266393eb39477fa1d0867b3838475b9f0000.exe
"C:\Users\Admin\AppData\Local\Temp\JC_e76bb9f1cc2868712a09b19554a2266393eb39477fa1d0867b3838475b9f0000.exe"
1⤵
PID:2692
- C:\Users\Admin\AppData\Local\Temp\JC_e76bb9f1cc2868712a09b19554a2266393eb39477fa1d0867b3838475b9f0000.exe
  "C:\Users\Admin\AppData\Local\Temp\JC_e76bb9f1cc2868712a09b19554a2266393eb39477fa1d0867b3838475b9f0000.exe"
  2⤵
  PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2988
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:2756
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:1908
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:288
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:1512
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1620
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2416
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:2408
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:2200
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      4⤵
      PID:984
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn "csrss" /f
        5⤵
        
        PID:2548
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn "ScheduledUpdate" /f
        5⤵
        
        PID:1992

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231018002524.log C:\Windows\Logs\CBS\CbsPersist_20231018002524.cab
1⤵
PID:2664

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2436

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabF153.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
3.6MB

MD5
8133b771470de41a074d57f4d2ddf9f9

SHA1
c3c386f20929aca2881698c25fc7268904ec8fcc

SHA256
507be3037dddb3c8ef0df8070a6e1f960a56bff020d1dc312c8ee4b2ddbd0591

SHA512
157cda50348d7ad0a9bde6cc2aaf7750f9b6bec74409125ee684ffc252d8395e87cde6304f55773a1744fe4a554c8a2c265ac0e4e3c1a993e11be20f4227fd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF211.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
1.9MB

MD5
9fd6316d212b02ee1ae2de08563343d5

SHA1
969db6826c6d5661f4d53381e916523b06a7281a

SHA256
dbe04c7853ec8e4b57fae34bc2335dc97903fa1cc8ee18857e57e3ba605ec0fb

SHA512
ccc0b6272457e4eaa67a4260d60e1ac4665d5160b7ac130aa50a2484b060b3f24bfef9ecb14fa23350a07a92e0bad0e62ed6f69f2a53abfe254932c5505993b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
1.4MB

MD5
e5f1aebf79c2d3e9fe8cd8bcdcb592f0

SHA1
06fc3e96625ea2b509b8be5d1e2a2e752912cca1

SHA256
d2a733f734af0e62d958e6148846aa262a0187acf4f7ac0f0322cc057da4f004

SHA512
fa82bfb2025438f6d274bfbd40a892cf11fcb6ee0b53c489730d9cf9193864b72e8adf70e3ed388719d247891d4f7284f83e99c91479cb257c062269c6a27589

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Filesize
99KB

MD5
09031a062610d77d685c9934318b4170

SHA1
880f744184e7774f3d14c1bb857e21cc7fe89a6d

SHA256
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

SHA512
9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
4.4MB

MD5
31026c13a67f008f335e9b7f261ed87d

SHA1
b4d3c921301537a6d1a141e26db0fbbb97ba085d

SHA256
b5836c9b4fa82d1498ea13487d418b2a761b04de3d997ed20b0518d54dedb976

SHA512
87ecaf532200b03d09d75917b3e568a596e284c879a944f13b297a60264fa7e886411199c6944ce23c9fbe1038f0cc6b2c1f149175a266c6fc46954b8c758da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Windows\rss\csrss.exe

Filesize
3.9MB

MD5
25f60f80a339670314b0b93452dda555

SHA1
33a95b18a5adaedf830e8fd4d32aec3f4139f7f6

SHA256
883d95a30869005d5ef1bc79c0a96a9212cd1d01d76164a42bdd6c1948cc2333

SHA512
c041192a8b1b07e1332dcd53722989a52813c36813d156fb0790504882924e09364e2d212170a833af9f809fe5c1a87e77eb85e29b947dab88d20e75af8fac32

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
a19dc53f48ae95c2586c937c63ae65ef

SHA1
334b77856c3b714657a50f95a06a3ec547ac326a

SHA256
e76bb9f1cc2868712a09b19554a2266393eb39477fa1d0867b3838475b9f0000

SHA512
96b9ed16ada17a96a7309609e053698fe97dba9f82e7c0fc17e8cd4ea2e362a8c57bce5e7faa6f8fbbc409f50affe21d04ceb1284395893ce0b864ae90be9db0

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
a19dc53f48ae95c2586c937c63ae65ef

SHA1
334b77856c3b714657a50f95a06a3ec547ac326a

SHA256
e76bb9f1cc2868712a09b19554a2266393eb39477fa1d0867b3838475b9f0000

SHA512
96b9ed16ada17a96a7309609e053698fe97dba9f82e7c0fc17e8cd4ea2e362a8c57bce5e7faa6f8fbbc409f50affe21d04ceb1284395893ce0b864ae90be9db0

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
1.4MB

MD5
e5f1aebf79c2d3e9fe8cd8bcdcb592f0

SHA1
06fc3e96625ea2b509b8be5d1e2a2e752912cca1

SHA256
d2a733f734af0e62d958e6148846aa262a0187acf4f7ac0f0322cc057da4f004

SHA512
fa82bfb2025438f6d274bfbd40a892cf11fcb6ee0b53c489730d9cf9193864b72e8adf70e3ed388719d247891d4f7284f83e99c91479cb257c062269c6a27589

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
1.4MB

MD5
e5f1aebf79c2d3e9fe8cd8bcdcb592f0

SHA1
06fc3e96625ea2b509b8be5d1e2a2e752912cca1

SHA256
d2a733f734af0e62d958e6148846aa262a0187acf4f7ac0f0322cc057da4f004

SHA512
fa82bfb2025438f6d274bfbd40a892cf11fcb6ee0b53c489730d9cf9193864b72e8adf70e3ed388719d247891d4f7284f83e99c91479cb257c062269c6a27589

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
4.4MB

MD5
3ad70dbbfb126c03b5982bcc6560f00a

SHA1
396f8666744142ff523c30dc8f78a833af30bef3

SHA256
f97d50e477f45bd274e6f1e8d0dc042a7110357ce53b8bb055259214f0fa4d91

SHA512
1d9135beafffed626abfcac99d6432b7c9fe4eb5cf48743ad2fcfad445584a82efad8a48199cf753111b25ae8568c139acc70fc6d7c066b47202c18027a664fa

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
4.4MB

MD5
4d529f4e29f9c1d883ed0fd80c7827e8

SHA1
1120a58776e0fa58a5ae97d192de2d7840b2194a

SHA256
dea3978b416e60af257b84e90c1a09cb8ed2abcf1fe4a1c2d3477ba06bfcfe4b

SHA512
7a1d36c6bc433f760d6577d55f2b8260ed99be387eb3a34f173f91c329aba9c41afeb61258e812ac7be9db3354ff9a3ca7e8960383bc2e6cc37f53c453241cb5

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
4.4MB

MD5
3ad70dbbfb126c03b5982bcc6560f00a

SHA1
396f8666744142ff523c30dc8f78a833af30bef3

SHA256
f97d50e477f45bd274e6f1e8d0dc042a7110357ce53b8bb055259214f0fa4d91

SHA512
1d9135beafffed626abfcac99d6432b7c9fe4eb5cf48743ad2fcfad445584a82efad8a48199cf753111b25ae8568c139acc70fc6d7c066b47202c18027a664fa

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
a19dc53f48ae95c2586c937c63ae65ef

SHA1
334b77856c3b714657a50f95a06a3ec547ac326a

SHA256
e76bb9f1cc2868712a09b19554a2266393eb39477fa1d0867b3838475b9f0000

SHA512
96b9ed16ada17a96a7309609e053698fe97dba9f82e7c0fc17e8cd4ea2e362a8c57bce5e7faa6f8fbbc409f50affe21d04ceb1284395893ce0b864ae90be9db0

Download Submit
\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
a19dc53f48ae95c2586c937c63ae65ef

SHA1
334b77856c3b714657a50f95a06a3ec547ac326a

SHA256
e76bb9f1cc2868712a09b19554a2266393eb39477fa1d0867b3838475b9f0000

SHA512
96b9ed16ada17a96a7309609e053698fe97dba9f82e7c0fc17e8cd4ea2e362a8c57bce5e7faa6f8fbbc409f50affe21d04ceb1284395893ce0b864ae90be9db0

Download Submit
memory/984-164-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/984-168-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/984-160-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/1592-34-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1592-50-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1760-163-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1760-148-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1760-144-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1760-141-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2408-142-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2408-138-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2444-18-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2444-27-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2692-5-0x00000000040B0000-0x00000000044A8000-memory.dmp

Filesize
4.0MB

Download
memory/2692-4-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2692-6-0x00000000044B0000-0x0000000004D9B000-memory.dmp

Filesize
8.9MB

Download
memory/2692-3-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2692-2-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2692-1-0x00000000044B0000-0x0000000004D9B000-memory.dmp

Filesize
8.9MB

Download
memory/2692-0-0x00000000040B0000-0x00000000044A8000-memory.dmp

Filesize
4.0MB

Download
memory/2756-112-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2756-149-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2756-147-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2756-145-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2756-143-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2756-159-0x000000002FA30000-0x0000000030255000-memory.dmp

Filesize
8.1MB

Download
memory/2756-134-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2756-161-0x000000002FA30000-0x0000000030255000-memory.dmp

Filesize
8.1MB

Download
memory/2756-162-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2756-113-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2756-108-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2756-107-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2756-30-0x0000000000400000-0x0000000002828000-memory.dmp

Filesize
36.2MB

Download
memory/2756-28-0x0000000004220000-0x0000000004618000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads