Analysis
-
max time kernel
155s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
12/11/2023, 21:05
General
-
Target
8134b0333c22f064b6110fccc801f45f43e4288a41c5c24d3a8e494f3023f0b9.exe
-
Size
4.1MB
-
MD5
40ec068d634041e8b5147b6f53660280
-
SHA1
91bef547550e7c170acfbdc82b3eb697d9edcf6b
-
SHA256
8134b0333c22f064b6110fccc801f45f43e4288a41c5c24d3a8e494f3023f0b9
-
SHA512
1531017f49693138e6973b3561ceae0dfcdfe5ec1f73df96028720fb888eb7ad3133490927f73e5dc772bd488a80001095ee0f41287e4104cad3c282bdb39031
-
SSDEEP
98304:t+y11xVaNS4L/TrpL65fuCbh9zp4wSpOL2zCwTSYgUegPrjqR:tXbVaNSc/pL68Wh9t71C3xbeerg
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 17 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8134b0333c22f064b6110fccc801f45f43e4288a41c5c24d3a8e494f3023f0b9.exe"C:\Users\Admin\AppData\Local\Temp\8134b0333c22f064b6110fccc801f45f43e4288a41c5c24d3a8e494f3023f0b9.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\8134b0333c22f064b6110fccc801f45f43e4288a41c5c24d3a8e494f3023f0b9.exe"C:\Users\Admin\AppData\Local\Temp\8134b0333c22f064b6110fccc801f45f43e4288a41c5c24d3a8e494f3023f0b9.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
19KB
MD5ba954d997a86271070f480faff51adcb
SHA129641fdf3c219a1e2c2bb329c575656ca21a270e
SHA256767c3f58577c9627af32646a8812e5381a4e46906cd2305801e5c1139660d7c5
SHA512634fbcb98e08ef38faf0bae7f711fe4235603d366f45ea9a916915c63efe18c4d97183e7a30d0f63978f0f3f400f2dddd9a1beb17a2483f3a476d0c28ce5b8ae
-
Filesize
19KB
MD57319f864e60ec9d248026dba2f065b42
SHA171984e3593fbc4e68ecea43310568f5fa976b77e
SHA256783d211b0437ac6fe85a7c4f3dc83b7374d55a8e653a1932b8fe79f56125fa30
SHA512a7617432d9fa3c284a30ff463f00c8c606d5258f3363a51d97905baa972a6f17fb801acfd9ae56b93c8613fbdf861dda054d2cf695eff5c071d37fb8c37b92e6
-
Filesize
19KB
MD5a6b9d97e9d86b2f5864add0b0329e0b0
SHA190586f15129c00dad682475141a85442b59c31f1
SHA256657d06ac109478a8503465802a8fa73e79a70472ff2bdc6462bd091aed7622f1
SHA5128ad8bc4dfa309fe1bfea48af4b85e98ab91de5e4b53a24ba0b826fd2f357a3855c83737873a0e81951c3a1773ffa1c554de86a491985b0b23e70dc55e1cb21e9
-
Filesize
19KB
MD5a01068f51ef8eb3816264bc92d1c35d7
SHA1d5dfc47dc8efe9b229aa462acb4940b8da6e06df
SHA2565063e1d1a2d02e2d77c64accaf274cdbdb3bab798241b32b98a04a4d970cc24f
SHA5129986256ba65eaf1a81e017afc493fa01221e69f4e2b02b2c01d05dd1662a2eb5cec91eadae5637edf8a98abfeab0db0bf6fa509d8a2051b461b023ef1eafa397
-
Filesize
19KB
MD5df38867390dc654ee79b4a52ab806a9e
SHA14a7bba455ecce4f6e981049b5c6e4277a1619de7
SHA256b675e1d6b33cc58f9963905ba89396510cfedb578af7dc4a24d7da080cab9070
SHA51280745ea1a3e94422aa12c9c8c479f7d761c447976b04801d2222ad1c6d8175814f7f987b03df9a82fccc553dad7bb1ae3c2fb709acb83d2d04c1277f23532b70
-
Filesize
4.1MB
MD540ec068d634041e8b5147b6f53660280
SHA191bef547550e7c170acfbdc82b3eb697d9edcf6b
SHA2568134b0333c22f064b6110fccc801f45f43e4288a41c5c24d3a8e494f3023f0b9
SHA5121531017f49693138e6973b3561ceae0dfcdfe5ec1f73df96028720fb888eb7ad3133490927f73e5dc772bd488a80001095ee0f41287e4104cad3c282bdb39031
-
Filesize
4.1MB
MD540ec068d634041e8b5147b6f53660280
SHA191bef547550e7c170acfbdc82b3eb697d9edcf6b
SHA2568134b0333c22f064b6110fccc801f45f43e4288a41c5c24d3a8e494f3023f0b9
SHA5121531017f49693138e6973b3561ceae0dfcdfe5ec1f73df96028720fb888eb7ad3133490927f73e5dc772bd488a80001095ee0f41287e4104cad3c282bdb39031
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
652KB
-
Filesize
68KB
-
Filesize
80KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
304KB
-
Filesize
472KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
272KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
9.1MB
-
Filesize
9.1MB