Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    24s
  • platform
    windows10-1703_x64
  • resource
    win10-20231023-en
  • resource tags

    arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07/11/2023, 11:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    129f0ee3535eadcec70aed07cd960fd30a71b39ebb236efb553f630414595e7f.exe

  • Size

    4.1MB

  • MD5

    d28b429652a35501cdfaa6934d627135

  • SHA1

    f464e9d09675f9daee83d5e542a4511fa7edc87f

  • SHA256

    129f0ee3535eadcec70aed07cd960fd30a71b39ebb236efb553f630414595e7f

  • SHA512

    1f96f30a4f501583c00a623600e14fe0ff7ad18a504120f183367ba703b6159b9b6176e5cbb5048b7d786561fe7e5f8fc7c62773d99a781bbbc95f62dd89bdb6

  • SSDEEP

    98304:fc0e3+aCj+36l5XW/GGCLh2mAzcPbvxZt6AKLzu8iOT:fcd3xCjPlFyGfoDz8DxZtHKHLfT

Score
10/10
gluptebadropperevasionloader

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 9 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops file in System32 directory 4 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\129f0ee3535eadcec70aed07cd960fd30a71b39ebb236efb553f630414595e7f.exe
    "C:\Users\Admin\AppData\Local\Temp\129f0ee3535eadcec70aed07cd960fd30a71b39ebb236efb553f630414595e7f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2460
    • C:\Users\Admin\AppData\Local\Temp\129f0ee3535eadcec70aed07cd960fd30a71b39ebb236efb553f630414595e7f.exe
      "C:\Users\Admin\AppData\Local\Temp\129f0ee3535eadcec70aed07cd960fd30a71b39ebb236efb553f630414595e7f.exe"
      2⤵
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3856
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3624
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:4480
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5000
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1732

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tiz51crg.zse.ps1
          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          1c19c16e21c97ed42d5beabc93391fc5

          SHA1

          8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

          SHA256

          1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

          SHA512

          7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          18KB

          MD5

          a68d3ad9c21a59f19e93e1dbd0e6b4e5

          SHA1

          44c88155890797cb1decdf4ea5fc63ae773266d6

          SHA256

          298bc2eeb32845f40d241fb28734481839dbc6aab8029acfa18b239dc481716d

          SHA512

          14723688ec03e0b4585b5394935f3ffe0e81a1019432da3b15984b4cdc21449ed5cf5137f922f98257337aa816232a85df7d9d6ebba163498d0ef2b424d6df66

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          18KB

          MD5

          6fa69467a005581b699cfae6f65c6f07

          SHA1

          8576dd536b07f7187122aec53d98a7f96be891a4

          SHA256

          735bde53ef9db1e55157b1764aeda78b7e0a051dd2db432b59a3490c99f5be1d

          SHA512

          c55e39ef829de77cca243804fdabcc27992331e057077f6699b6b5531c3cc4ed9e8ae7c41409ebe60ee5fb977444b9ff72369cb5c24ca6108bd9c75830d78af7

          Download Submit

        • memory/1732-1050-0x0000000072E50000-0x000000007353E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1732-837-0x00000000048B0000-0x00000000048C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1732-807-0x0000000072E50000-0x000000007353E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1732-808-0x00000000048B0000-0x00000000048C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1732-809-0x00000000048B0000-0x00000000048C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1732-831-0x000000006FB80000-0x000000006FBCB000-memory.dmp

          Filesize

          300KB

          Download

        • memory/1732-830-0x000000007EF50000-0x000000007EF60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1732-832-0x000000006FBD0000-0x000000006FF20000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2460-78-0x000000006FA60000-0x000000006FAAB000-memory.dmp

          Filesize

          300KB

          Download

        • memory/2460-181-0x0000000005080000-0x0000000005090000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2460-15-0x0000000008030000-0x000000000804C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2460-35-0x0000000009480000-0x00000000094BC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2460-14-0x00000000081A0000-0x00000000084F0000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2460-67-0x0000000009550000-0x00000000095C6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2460-13-0x0000000008130000-0x0000000008196000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2460-12-0x0000000007F40000-0x0000000007FA6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2460-77-0x000000007E400000-0x000000007E410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2460-76-0x000000000A3C0000-0x000000000A3F3000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2460-6-0x0000000004F70000-0x0000000004FA6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2460-79-0x000000006FAB0000-0x000000006FE00000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2460-80-0x000000000A3A0000-0x000000000A3BE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2460-85-0x000000000A400000-0x000000000A4A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/2460-86-0x0000000005080000-0x0000000005090000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2460-87-0x000000000A5E0000-0x000000000A674000-memory.dmp

          Filesize

          592KB

          Download

        • memory/2460-158-0x0000000072D50000-0x000000007343E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2460-16-0x00000000084F0000-0x000000000853B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/2460-282-0x00000000072E0000-0x00000000072FA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2460-287-0x00000000072D0000-0x00000000072D8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2460-296-0x0000000005080000-0x0000000005090000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2460-306-0x0000000072D50000-0x000000007343E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2460-11-0x0000000007690000-0x00000000076B2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2460-10-0x00000000077A0000-0x0000000007DC8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2460-9-0x0000000005080000-0x0000000005090000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2460-8-0x0000000005080000-0x0000000005090000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2460-7-0x0000000072D50000-0x000000007343E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3856-315-0x00000000073F0000-0x0000000007740000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3856-316-0x0000000007A40000-0x0000000007A8B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/3856-314-0x0000000072E50000-0x000000007353E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3856-336-0x000000006FB80000-0x000000006FBCB000-memory.dmp

          Filesize

          300KB

          Download

        • memory/3856-337-0x000000006FBF0000-0x000000006FF40000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3856-342-0x0000000008E60000-0x0000000008F05000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3856-343-0x00000000042A0000-0x00000000042B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3856-558-0x0000000072E50000-0x000000007353E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3920-307-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/3920-1-0x0000000002970000-0x0000000002D6E000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/3920-2-0x0000000002D70000-0x000000000365B000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/3920-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/3920-44-0x0000000002970000-0x0000000002D6E000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/3920-70-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/3920-72-0x0000000002D70000-0x000000000365B000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/4356-335-0x0000000002920000-0x0000000002D1C000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4356-309-0x0000000002920000-0x0000000002D1C000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4356-414-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4356-813-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4356-311-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4356-310-0x0000000002E20000-0x000000000370B000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/5000-585-0x000000006FB80000-0x000000006FBCB000-memory.dmp

          Filesize

          300KB

          Download

        • memory/5000-586-0x000000006FBD0000-0x000000006FF20000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5000-804-0x0000000072E50000-0x000000007353E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/5000-591-0x0000000005040000-0x0000000005050000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5000-565-0x0000000008240000-0x0000000008590000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5000-564-0x0000000005040000-0x0000000005050000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5000-563-0x0000000005040000-0x0000000005050000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5000-562-0x0000000072E50000-0x000000007353E000-memory.dmp

          Filesize

          6.9MB

          Download