Overview

overview

10

Static

static

1

17cb7a0152...ec.exe

windows7-x64

10

17cb7a0152...ec.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    183s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2023 05:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17cb7a01526ff294e454e1dfa22035d5f50fe296a03dbbf5470ce11b43cec8ec.exe

  • Size

    4.2MB

  • MD5

    ee29fda58a52b059c002c4913d87179b

  • SHA1

    9460aae379f6bc820360c7cf615d7e648d2a470c

  • SHA256

    17cb7a01526ff294e454e1dfa22035d5f50fe296a03dbbf5470ce11b43cec8ec

  • SHA512

    0122d214201b1977247fa42c23871b31b3154838eded8c4be0b864a46fa36233322c0757c19edf334b1bfa4dbef72ee250177aa32caab436ba97b968cfd07193

  • SSDEEP

    98304:b/CKrjXl5mXZh8/f5G4pbp4l/41Uy7ZE9TJZo2jBPDSIE51GEa1X2:jFrj788n5GC4t41/aTJjVDS/1NaN2

Score
10/10
gluptebadropperevasionloader

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 12 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops file in System32 directory 3 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17cb7a01526ff294e454e1dfa22035d5f50fe296a03dbbf5470ce11b43cec8ec.exe
    "C:\Users\Admin\AppData\Local\Temp\17cb7a01526ff294e454e1dfa22035d5f50fe296a03dbbf5470ce11b43cec8ec.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2368
    • C:\Users\Admin\AppData\Local\Temp\17cb7a01526ff294e454e1dfa22035d5f50fe296a03dbbf5470ce11b43cec8ec.exe
      "C:\Users\Admin\AppData\Local\Temp\17cb7a01526ff294e454e1dfa22035d5f50fe296a03dbbf5470ce11b43cec8ec.exe"
      2⤵
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4504
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:5108
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3536
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hendyzkm.tmd.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    19KB

    MD5

    c1462a9212927432e2aa1c7e4cebed30

    SHA1

    2f834106ca15defc9ff6af20f29558b080aa3b9f

    SHA256

    1ddcc0af6b8630d642c836ca437063e13b3a1ca0b2613843bb6d9e633f1fa0b7

    SHA512

    052a9f1c7416535284ea2e20dbde6cea53778286eaa72cfc523cf1d8e97178c5bc1b1f128834f893ea46c86101485e4fe79c94990d131589665c17490684229a

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    19KB

    MD5

    8209ea38a58c4b2f2cb865558660f7c8

    SHA1

    0bd9ccf382aa2553577ac2dea275ce79498840f6

    SHA256

    c342994165d20d78a32c1d8912ecf1404858c45e6853b9302831ff1f13ac4780

    SHA512

    af924ecb2076899558104f864fb853039d3a10f53e25c42c28bff2be32a712f326cc8ccb9f1dbcb8a62f423361cf6d3201ef735d9ef1f140d5ef29962e524338

    Download Submit

  • memory/1020-142-0x00000000050D0000-0x00000000050E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1020-141-0x00000000050D0000-0x00000000050E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1020-140-0x0000000074C30000-0x00000000753E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2368-59-0x0000000007BA0000-0x0000000007BAA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2368-45-0x00000000079F0000-0x0000000007A22000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2368-8-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2368-9-0x0000000004F20000-0x0000000004F56000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2368-10-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2368-13-0x0000000005500000-0x0000000005522000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2368-14-0x0000000005C30000-0x0000000005C96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2368-15-0x0000000005CA0000-0x0000000005D06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2368-11-0x0000000005590000-0x0000000005BB8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2368-25-0x0000000006010000-0x0000000006364000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2368-26-0x0000000074C30000-0x00000000753E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2368-27-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2368-28-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2368-66-0x0000000007C10000-0x0000000007C1E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2368-31-0x00000000065C0000-0x000000000660C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2368-33-0x00000000073E0000-0x0000000007424000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2368-35-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2368-36-0x00000000077F0000-0x0000000007866000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2368-63-0x000000007FDA0000-0x000000007FDB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2368-38-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2368-41-0x0000000007F70000-0x00000000085EA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2368-42-0x0000000000ED0000-0x0000000000EEA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2368-74-0x0000000074C30000-0x00000000753E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2368-44-0x000000007FDA0000-0x000000007FDB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2368-69-0x00000000076C0000-0x00000000076D4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2368-46-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2368-47-0x0000000070C50000-0x0000000070FA4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2368-57-0x00000000079D0000-0x00000000079EE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2368-58-0x0000000007AB0000-0x0000000007B53000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2368-7-0x0000000074C30000-0x00000000753E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2368-60-0x0000000007CB0000-0x0000000007D46000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2368-61-0x0000000007BC0000-0x0000000007BD1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2368-71-0x0000000007C60000-0x0000000007C68000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2368-30-0x00000000064E0000-0x00000000064FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2368-70-0x0000000007C80000-0x0000000007C9A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3536-113-0x0000000074C30000-0x00000000753E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3536-139-0x0000000074C30000-0x00000000753E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3536-128-0x0000000070C50000-0x0000000070FA4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3536-127-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3536-126-0x000000007F650000-0x000000007F660000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3536-125-0x0000000005030000-0x0000000005040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3536-114-0x0000000005030000-0x0000000005040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-78-0x0000000074C30000-0x00000000753E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4504-80-0x00000000010B0000-0x00000000010C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-90-0x00000000010B0000-0x00000000010C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-91-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4504-92-0x0000000070C50000-0x0000000070FA4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4504-102-0x00000000073F0000-0x0000000007493000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4504-103-0x0000000007710000-0x0000000007721000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4504-105-0x0000000007760000-0x0000000007774000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4504-108-0x0000000074C30000-0x00000000753E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4504-79-0x00000000010B0000-0x00000000010C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4928-110-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4928-3-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4928-2-0x0000000002F60000-0x000000000384B000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/4928-6-0x0000000002F60000-0x000000000384B000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/4928-4-0x0000000002B50000-0x0000000002F51000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4928-43-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4928-1-0x0000000002B50000-0x0000000002F51000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4928-37-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4928-12-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4928-5-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4928-73-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/5040-104-0x0000000002B10000-0x0000000002F0A000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/5040-77-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/5040-76-0x0000000002B10000-0x0000000002F0A000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/5040-112-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/5040-109-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download