Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    20s
  • platform
    windows10-1703_x64
  • resource
    win10-20231020-en
  • resource tags

    arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06/11/2023, 01:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f8670f1f3022f7fde10833446afb03a229f11a3e308d5659cb2db535975996e.exe

  • Size

    4.1MB

  • MD5

    346f7cec1ca5e01ad4915782a9766e2f

  • SHA1

    2626ca931cf677616212e7cb42c813425da7b597

  • SHA256

    4f8670f1f3022f7fde10833446afb03a229f11a3e308d5659cb2db535975996e

  • SHA512

    4e1abff954a2601dc89800ae37d4416655c10918bc85a20cd794b001eb0b9d8ad41dfc5f6b538fc2d0f321b060f7513886953038382f6547c356cabbbe25f1a5

  • SSDEEP

    98304:NdTo180BUDmy/cmtnZjtg+GKFSPeUtG02X:/oC0KDjtJUtG0e

Score
10/10
gluptebadropperevasionloaderpersistencetrojan

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 12 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f8670f1f3022f7fde10833446afb03a229f11a3e308d5659cb2db535975996e.exe
    "C:\Users\Admin\AppData\Local\Temp\4f8670f1f3022f7fde10833446afb03a229f11a3e308d5659cb2db535975996e.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3852
    • C:\Users\Admin\AppData\Local\Temp\4f8670f1f3022f7fde10833446afb03a229f11a3e308d5659cb2db535975996e.exe
      "C:\Users\Admin\AppData\Local\Temp\4f8670f1f3022f7fde10833446afb03a229f11a3e308d5659cb2db535975996e.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3592
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3888
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1012
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4024
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:32
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        PID:5076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bajlz03d.jfq.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    18KB

    MD5

    e330bf6cac8100bec0a15f7419cc921e

    SHA1

    100ae3d45ce7c5143db96cb98115e1bcc96d0241

    SHA256

    de19c5a8a07e91bc00a38e03fc84fb6e4aed897b2bb6ef92e5aa4b133009e306

    SHA512

    b281c8e45dbe75d8453bab0ed0befda3e92fc6fd7e60dc73bbcb66916f18470d84d6755c135d39ca0f17dda0ee01a753be6eda785acc7546535a9e847dc76d2f

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    18KB

    MD5

    8f49a991fc25d7b341f27d7d00ff40c8

    SHA1

    d5bede7a4819ddfdc64bcf369d324388f5208673

    SHA256

    aadfc6e92c80c1161e3ba23eee3f7f814e79ae7d4f5bd1230eae7853e42102ef

    SHA512

    7e6256e5a666626b9781c4d8707bfd67c1d5a78187ecdec0e5d16cbe1f55ef3e2e21a7523eef3e730fc2ab1168176262d89d31c4263a14435b5177ca860e236b

    Download Submit

  • C:\Windows\rss\csrss.exe
    Filesize

    4.1MB

    MD5

    346f7cec1ca5e01ad4915782a9766e2f

    SHA1

    2626ca931cf677616212e7cb42c813425da7b597

    SHA256

    4f8670f1f3022f7fde10833446afb03a229f11a3e308d5659cb2db535975996e

    SHA512

    4e1abff954a2601dc89800ae37d4416655c10918bc85a20cd794b001eb0b9d8ad41dfc5f6b538fc2d0f321b060f7513886953038382f6547c356cabbbe25f1a5

    Download Submit

  • C:\Windows\rss\csrss.exe
    Filesize

    4.1MB

    MD5

    346f7cec1ca5e01ad4915782a9766e2f

    SHA1

    2626ca931cf677616212e7cb42c813425da7b597

    SHA256

    4f8670f1f3022f7fde10833446afb03a229f11a3e308d5659cb2db535975996e

    SHA512

    4e1abff954a2601dc89800ae37d4416655c10918bc85a20cd794b001eb0b9d8ad41dfc5f6b538fc2d0f321b060f7513886953038382f6547c356cabbbe25f1a5

    Download Submit

  • memory/32-808-0x0000000007640000-0x0000000007650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/32-831-0x000000006FEC0000-0x0000000070210000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/32-830-0x000000007F2B0000-0x000000007F2C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/32-836-0x0000000007640000-0x0000000007650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/32-829-0x000000006FE50000-0x000000006FE9B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/32-807-0x0000000007640000-0x0000000007650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/32-1049-0x0000000073120000-0x000000007380E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/32-806-0x0000000073120000-0x000000007380E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1636-309-0x0000000002970000-0x0000000002D6C000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1636-828-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1636-1053-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1636-559-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1636-412-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1636-335-0x0000000002970000-0x0000000002D6C000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1636-310-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/2920-71-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/2920-307-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/2920-2-0x0000000002E30000-0x000000000371B000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/2920-3-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/2920-13-0x0000000002A30000-0x0000000002E2F000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2920-86-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/2920-40-0x0000000002E30000-0x000000000371B000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/2920-1-0x0000000002A30000-0x0000000002E2F000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3592-343-0x00000000053A0000-0x00000000053B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3592-342-0x0000000009D60000-0x0000000009E05000-memory.dmp

    Filesize

    660KB

    Download

  • memory/3592-337-0x000000006FEC0000-0x0000000070210000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3592-336-0x000000006FE50000-0x000000006FE9B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3592-558-0x0000000073120000-0x000000007380E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3592-314-0x00000000053A0000-0x00000000053B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3592-316-0x00000000088F0000-0x000000000893B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3592-315-0x0000000008260000-0x00000000085B0000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3592-311-0x0000000073120000-0x000000007380E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3852-306-0x0000000073020000-0x000000007370E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3852-10-0x0000000006EE0000-0x0000000007508000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3852-77-0x0000000009950000-0x0000000009983000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3852-78-0x000000006FD30000-0x000000006FD7B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3852-288-0x0000000004870000-0x0000000004878000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3852-283-0x0000000009B20000-0x0000000009B3A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3852-160-0x00000000029D0000-0x00000000029E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3852-89-0x0000000009B40000-0x0000000009BD4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3852-68-0x0000000008B20000-0x0000000008B96000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3852-87-0x0000000073020000-0x000000007370E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3852-88-0x00000000029D0000-0x00000000029E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3852-36-0x0000000007FB0000-0x0000000007FEC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3852-79-0x000000006FD80000-0x00000000700D0000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3852-80-0x0000000009930000-0x000000000994E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3852-17-0x00000000079D0000-0x0000000007A1B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3852-7-0x00000000041D0000-0x0000000004206000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3852-6-0x0000000073020000-0x000000007370E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3852-8-0x00000000029D0000-0x00000000029E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3852-9-0x00000000029D0000-0x00000000029E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3852-16-0x00000000079B0000-0x00000000079CC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3852-15-0x00000000075E0000-0x0000000007930000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3852-14-0x0000000007570000-0x00000000075D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3852-12-0x0000000006CC0000-0x0000000006D26000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3852-85-0x0000000009990000-0x0000000009A35000-memory.dmp

    Filesize

    660KB

    Download

  • memory/3852-11-0x0000000006C20000-0x0000000006C42000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3852-76-0x000000007F250000-0x000000007F260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4024-803-0x0000000073120000-0x000000007380E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4024-590-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4024-585-0x000000006FEA0000-0x00000000701F0000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4024-584-0x000000006FE50000-0x000000006FE9B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4024-564-0x0000000007CF0000-0x0000000008040000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4024-563-0x0000000073120000-0x000000007380E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5076-1056-0x0000000003000000-0x00000000033F9000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/5076-1057-0x0000000000400000-0x0000000000D1B000-memory.dmp

    Filesize

    9.1MB

    Download