Analysis
-
max time kernel
190s -
max time network
200s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
-
submitted
13-10-2023 13:04
General
-
Target
f6f7dd8954f65c81374749419c32f12b3a3d92a873405d550550423a1d3aa473.exe
-
Size
4.1MB
-
MD5
9d0e5c1469e0f5c8b3e17512d5215a39
-
SHA1
503cfb1b741dd2e6ba9719c5acbd1873bd99a191
-
SHA256
f6f7dd8954f65c81374749419c32f12b3a3d92a873405d550550423a1d3aa473
-
SHA512
a09d02c70cfc963168dabfeec4443d8e32f3b32f966df1b01e4a24e8ec8845b09f4b25921ec9340292b4e1c28e5226a7c276933ab02869c8c14b5b911c767be0
-
SSDEEP
98304:Hlhp/+MAY8LSBetbsJnYPJay0ram2uVyHV/vsKO4IVa8TY/jpHwr/:HlT/+M2+BeVsJYPms9vsd3Va8M/jpG
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 20 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6f7dd8954f65c81374749419c32f12b3a3d92a873405d550550423a1d3aa473.exe"C:\Users\Admin\AppData\Local\Temp\f6f7dd8954f65c81374749419c32f12b3a3d92a873405d550550423a1d3aa473.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\f6f7dd8954f65c81374749419c32f12b3a3d92a873405d550550423a1d3aa473.exe"C:\Users\Admin\AppData\Local\Temp\f6f7dd8954f65c81374749419c32f12b3a3d92a873405d550550423a1d3aa473.exe"2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_br1qafbi.jz3.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD59b037a058b2527ff7b39dcd42f68b805
SHA1df6c04e69d9901b36a3be57ccd0d6f457753983a
SHA2564fa6b65fd55c726e26e47b9b8df85ee43509910bb3183e15d286877f4926fb98
SHA512d05ee77f116a1890644be9414f779b20cc997b88bb2dcb8eee1ffcf860749ae460e85bc5afbf487cceafef3886e0b91089c4c38c9a0316276a753fb0dceb24eb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD50c8dbc243e178f0c5f19e3acee541b52
SHA1418d6ac0bf4c4f4f2542e1f98b290089f66d2198
SHA2561ab074a739c14cab8e47ecf7918fd88b976d11928bb63fa6071ae4b4405f186d
SHA512593d2ed80db0eed2cd1daa553d1c0e1870ee4d1ba6d6a14bd0ceb4d496c9ba84827a2d25c739f2d335b509a4a6f0a5e04bc7a57f483b654b2aff25ae36f11728
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5b9c147c1e5b6bf7a3de2d4f9bf25ad6a
SHA140d1cae43560ee92fc72a9b750f4ad4f095276ff
SHA256f711cf81c008086fe316f55091fb333f45b3d54f71c3cc86ffe32e0aef7e2980
SHA512756e7de0bcd6a103b8a94d12ff099457d936b802dd5fda58c9ae6aa1a9062b9de20e46b196a9387bff2ee5491866dbd20e89f83691712575d269cdadc6426621
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5bd28cf6f4e664d3b05b727698017ccfd
SHA118295e28106a8ef454469ea5e9172df359af3949
SHA256cd5d0db16c2613e36423170910974b4702a7886f81c0adda431868baebe88282
SHA512466e35c93f73c386a9f5493ce4ba66afd75be91e1a438907d1e5b07fd187267c78733b4f51f0a8bd7d3e85c7c22841ed0e45e324636acd5280721d984066ca84
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD55f549975bc3672f3636da9a118cd0468
SHA1a378628fc3d9db3d75445dafb4935c8c4d9fdfba
SHA25612076363b74e6e00d44dc28b5abb9883eba760d4dba140b8dba5af83f385ff02
SHA5128abc05beadd955de923c92d8ae9373c5fc4edfbd91e2db63a4f16fa577f9261467124f39ed946a36636c908a756f8d0455a1c578b57752f6ada260ea3947ad2c
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD59d0e5c1469e0f5c8b3e17512d5215a39
SHA1503cfb1b741dd2e6ba9719c5acbd1873bd99a191
SHA256f6f7dd8954f65c81374749419c32f12b3a3d92a873405d550550423a1d3aa473
SHA512a09d02c70cfc963168dabfeec4443d8e32f3b32f966df1b01e4a24e8ec8845b09f4b25921ec9340292b4e1c28e5226a7c276933ab02869c8c14b5b911c767be0
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD59d0e5c1469e0f5c8b3e17512d5215a39
SHA1503cfb1b741dd2e6ba9719c5acbd1873bd99a191
SHA256f6f7dd8954f65c81374749419c32f12b3a3d92a873405d550550423a1d3aa473
SHA512a09d02c70cfc963168dabfeec4443d8e32f3b32f966df1b01e4a24e8ec8845b09f4b25921ec9340292b4e1c28e5226a7c276933ab02869c8c14b5b911c767be0
-
memory/200-814-0x0000000073720000-0x0000000073E0E000-memory.dmpFilesize
6.9MB
-
memory/200-1055-0x0000000073720000-0x0000000073E0E000-memory.dmpFilesize
6.9MB
-
memory/200-992-0x0000000073720000-0x0000000073E0E000-memory.dmpFilesize
6.9MB
-
memory/200-841-0x0000000007180000-0x0000000007190000-memory.dmpFilesize
64KB
-
memory/200-835-0x0000000070450000-0x000000007049B000-memory.dmpFilesize
300KB
-
memory/200-836-0x00000000704A0000-0x00000000707F0000-memory.dmpFilesize
3.3MB
-
memory/2484-830-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/2484-568-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/2484-1056-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/2484-315-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/2484-313-0x0000000004C60000-0x0000000005062000-memory.dmpFilesize
4.0MB
-
memory/2484-335-0x0000000004C60000-0x0000000005062000-memory.dmpFilesize
4.0MB
-
memory/2484-342-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/2484-1058-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/2484-1061-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/2760-598-0x0000000004D40000-0x0000000004D50000-memory.dmpFilesize
64KB
-
memory/2760-570-0x0000000073720000-0x0000000073E0E000-memory.dmpFilesize
6.9MB
-
memory/2760-572-0x0000000004D40000-0x0000000004D50000-memory.dmpFilesize
64KB
-
memory/2760-571-0x0000000004D40000-0x0000000004D50000-memory.dmpFilesize
64KB
-
memory/2760-592-0x0000000070450000-0x000000007049B000-memory.dmpFilesize
300KB
-
memory/2760-593-0x00000000704A0000-0x00000000707F0000-memory.dmpFilesize
3.3MB
-
memory/2760-811-0x0000000073720000-0x0000000073E0E000-memory.dmpFilesize
6.9MB
-
memory/3188-319-0x00000000080A0000-0x00000000083F0000-memory.dmpFilesize
3.3MB
-
memory/3188-341-0x00000000704A0000-0x00000000707F0000-memory.dmpFilesize
3.3MB
-
memory/3188-350-0x0000000007170000-0x0000000007180000-memory.dmpFilesize
64KB
-
memory/3188-349-0x0000000073720000-0x0000000073E0E000-memory.dmpFilesize
6.9MB
-
memory/3188-348-0x0000000009B00000-0x0000000009BA5000-memory.dmpFilesize
660KB
-
memory/3188-565-0x0000000073720000-0x0000000073E0E000-memory.dmpFilesize
6.9MB
-
memory/3188-340-0x0000000070450000-0x000000007049B000-memory.dmpFilesize
300KB
-
memory/3188-351-0x0000000007170000-0x0000000007180000-memory.dmpFilesize
64KB
-
memory/3188-317-0x0000000073720000-0x0000000073E0E000-memory.dmpFilesize
6.9MB
-
memory/3188-318-0x0000000007170000-0x0000000007180000-memory.dmpFilesize
64KB
-
memory/3188-320-0x0000000008AD0000-0x0000000008B1B000-memory.dmpFilesize
300KB
-
memory/3540-1065-0x0000000005500000-0x0000000005DEB000-memory.dmpFilesize
8.9MB
-
memory/3540-1064-0x0000000005100000-0x00000000054F9000-memory.dmpFilesize
4.0MB
-
memory/3540-1066-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/3540-1068-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/3540-1320-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/3540-1321-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/3540-1322-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/3540-1713-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/3560-77-0x000000007E920000-0x000000007E930000-memory.dmpFilesize
64KB
-
memory/3560-14-0x00000000083E0000-0x0000000008446000-memory.dmpFilesize
408KB
-
memory/3560-87-0x0000000007440000-0x0000000007450000-memory.dmpFilesize
64KB
-
memory/3560-86-0x000000000A7C0000-0x000000000A865000-memory.dmpFilesize
660KB
-
memory/3560-81-0x000000000A760000-0x000000000A77E000-memory.dmpFilesize
120KB
-
memory/3560-80-0x0000000070380000-0x00000000706D0000-memory.dmpFilesize
3.3MB
-
memory/3560-79-0x0000000070330000-0x000000007037B000-memory.dmpFilesize
300KB
-
memory/3560-78-0x000000000A780000-0x000000000A7B3000-memory.dmpFilesize
204KB
-
memory/3560-160-0x0000000007440000-0x0000000007450000-memory.dmpFilesize
64KB
-
memory/3560-72-0x0000000073620000-0x0000000073D0E000-memory.dmpFilesize
6.9MB
-
memory/3560-69-0x00000000099C0000-0x0000000009A36000-memory.dmpFilesize
472KB
-
memory/3560-38-0x0000000008DC0000-0x0000000008DFC000-memory.dmpFilesize
240KB
-
memory/3560-287-0x00000000098F0000-0x000000000990A000-memory.dmpFilesize
104KB
-
memory/3560-292-0x00000000098E0000-0x00000000098E8000-memory.dmpFilesize
32KB
-
memory/3560-17-0x0000000008D70000-0x0000000008DBB000-memory.dmpFilesize
300KB
-
memory/3560-16-0x00000000087E0000-0x00000000087FC000-memory.dmpFilesize
112KB
-
memory/3560-15-0x0000000008450000-0x00000000087A0000-memory.dmpFilesize
3.3MB
-
memory/3560-88-0x0000000007440000-0x0000000007450000-memory.dmpFilesize
64KB
-
memory/3560-310-0x0000000073620000-0x0000000073D0E000-memory.dmpFilesize
6.9MB
-
memory/3560-12-0x0000000008300000-0x0000000008366000-memory.dmpFilesize
408KB
-
memory/3560-11-0x0000000007A50000-0x0000000007A72000-memory.dmpFilesize
136KB
-
memory/3560-10-0x0000000007A80000-0x00000000080A8000-memory.dmpFilesize
6.2MB
-
memory/3560-9-0x0000000007440000-0x0000000007450000-memory.dmpFilesize
64KB
-
memory/3560-8-0x0000000007440000-0x0000000007450000-memory.dmpFilesize
64KB
-
memory/3560-7-0x0000000073620000-0x0000000073D0E000-memory.dmpFilesize
6.9MB
-
memory/3560-89-0x000000000A9A0000-0x000000000AA34000-memory.dmpFilesize
592KB
-
memory/3560-6-0x0000000007330000-0x0000000007366000-memory.dmpFilesize
216KB
-
memory/3560-159-0x000000007E920000-0x000000007E930000-memory.dmpFilesize
64KB
-
memory/4016-158-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/4016-1-0x0000000004CA0000-0x00000000050A8000-memory.dmpFilesize
4.0MB
-
memory/4016-311-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/4016-13-0x0000000004CA0000-0x00000000050A8000-memory.dmpFilesize
4.0MB
-
memory/4016-18-0x00000000050B0000-0x000000000599B000-memory.dmpFilesize
8.9MB
-
memory/4016-3-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB
-
memory/4016-2-0x00000000050B0000-0x000000000599B000-memory.dmpFilesize
8.9MB
-
memory/4016-27-0x0000000000400000-0x0000000002FB8000-memory.dmpFilesize
43.7MB