Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows10-1703_x64
  • resource
    win10-20231023-en
  • resource tags

    arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16/11/2023, 05:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7a02922687ff5c47aa236a92977a7ac3145068210e4a1b8a24559ea99feea3d.exe

  • Size

    4.2MB

  • MD5

    77aef547ab6abb3c133c8380a609a3b4

  • SHA1

    730d3298f045523be4063590891740c5b47e165f

  • SHA256

    e7a02922687ff5c47aa236a92977a7ac3145068210e4a1b8a24559ea99feea3d

  • SHA512

    bd86565457817b084117bca5120cd65b77a3a03023e75b6f0a1547f05b09a4e0770dc4b8434e350b92e562785f19d66160585241c4209339babd848155bb2272

  • SSDEEP

    98304:09M9U+zveFd8itJtRStO0JWkONG13pGEcE42kp:KcU+z0d8IJt4lh8GtpG7X

Score
10/10
gluptebadropperevasionloaderpersistencetrojan

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 11 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7a02922687ff5c47aa236a92977a7ac3145068210e4a1b8a24559ea99feea3d.exe
    "C:\Users\Admin\AppData\Local\Temp\e7a02922687ff5c47aa236a92977a7ac3145068210e4a1b8a24559ea99feea3d.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:680
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3092
    • C:\Users\Admin\AppData\Local\Temp\e7a02922687ff5c47aa236a92977a7ac3145068210e4a1b8a24559ea99feea3d.exe
      "C:\Users\Admin\AppData\Local\Temp\e7a02922687ff5c47aa236a92977a7ac3145068210e4a1b8a24559ea99feea3d.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3028
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:524
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:5100
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3256
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1616
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        PID:356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1bdjybal.tvm.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    18KB

    MD5

    dc228c368c6ddd0d1837c53292363cd8

    SHA1

    85defc3a00f4e5d91efb76a74b2ec3c3b199eff2

    SHA256

    6391eb10b6eba0d153fb1b039b1b264d420190817ff492bab41b13c4f2c9c8a3

    SHA512

    3c1b32bb3253ba67255a162c26a90bec7f7d9a748f106b65161493ce2461a157278cedbb25c33012ec4503eb8db6e27af46f486f095d4070cc278430489a3856

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    18KB

    MD5

    9bd8b4cc9a2ec9bb8f103c93fb6d340f

    SHA1

    ea337c0e67648bd9b63337d6e2430ad0ac30f185

    SHA256

    b794afa71466ad6ca1589146701e9cdfab41b967531fe6903952f9f7ff2ff830

    SHA512

    cbdf3f01e859619fc2be0902d1badbf49c83e71137e1cde70a38fde76bc7ea50883682ad3574403e88e82f0616790f4e0d060b469281cc22cc64b1408467274d

    Download Submit

  • C:\Windows\rss\csrss.exe
    Filesize

    4.2MB

    MD5

    77aef547ab6abb3c133c8380a609a3b4

    SHA1

    730d3298f045523be4063590891740c5b47e165f

    SHA256

    e7a02922687ff5c47aa236a92977a7ac3145068210e4a1b8a24559ea99feea3d

    SHA512

    bd86565457817b084117bca5120cd65b77a3a03023e75b6f0a1547f05b09a4e0770dc4b8434e350b92e562785f19d66160585241c4209339babd848155bb2272

    Download Submit

  • C:\Windows\rss\csrss.exe
    Filesize

    4.2MB

    MD5

    77aef547ab6abb3c133c8380a609a3b4

    SHA1

    730d3298f045523be4063590891740c5b47e165f

    SHA256

    e7a02922687ff5c47aa236a92977a7ac3145068210e4a1b8a24559ea99feea3d

    SHA512

    bd86565457817b084117bca5120cd65b77a3a03023e75b6f0a1547f05b09a4e0770dc4b8434e350b92e562785f19d66160585241c4209339babd848155bb2272

    Download Submit

  • memory/680-2-0x0000000002E80000-0x000000000376B000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/680-1-0x0000000002A70000-0x0000000002E71000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/680-208-0x0000000002A70000-0x0000000002E71000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/680-303-0x0000000000400000-0x0000000000D1C000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/680-304-0x0000000002E80000-0x000000000376B000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/680-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/680-207-0x0000000000400000-0x0000000000D1C000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/1616-1050-0x0000000073AE0000-0x00000000741CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1616-810-0x00000000073C0000-0x00000000073D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1616-808-0x0000000073AE0000-0x00000000741CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1616-809-0x00000000073C0000-0x00000000073D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1616-837-0x00000000073C0000-0x00000000073D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1616-831-0x0000000070860000-0x0000000070BB0000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1616-830-0x0000000070810000-0x000000007085B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3028-315-0x0000000007BD0000-0x0000000007C1B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3028-556-0x0000000073AE0000-0x00000000741CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3028-342-0x00000000043F0000-0x0000000004400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3028-341-0x00000000090C0000-0x0000000009165000-memory.dmp

    Filesize

    660KB

    Download

  • memory/3028-336-0x0000000070860000-0x0000000070BB0000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3028-335-0x0000000070810000-0x000000007085B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3028-334-0x000000007F3D0000-0x000000007F3E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3028-314-0x0000000007660000-0x00000000079B0000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3028-313-0x00000000043F0000-0x0000000004400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3028-312-0x00000000043F0000-0x0000000004400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3028-311-0x0000000073AE0000-0x00000000741CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3092-83-0x0000000006DF0000-0x0000000006E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-284-0x0000000008440000-0x0000000008448000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3092-35-0x00000000091A0000-0x00000000091DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3092-16-0x0000000008150000-0x000000000819B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3092-74-0x000000000A0C0000-0x000000000A0F3000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3092-302-0x00000000739E0000-0x00000000740CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3092-84-0x000000000A2E0000-0x000000000A374000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3092-279-0x0000000008570000-0x000000000858A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3092-15-0x0000000008110000-0x000000000812C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3092-75-0x00000000706F0000-0x000000007073B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3092-66-0x0000000009260000-0x00000000092D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3092-76-0x0000000070740000-0x0000000070A90000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3092-13-0x0000000007CB0000-0x0000000007D16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3092-82-0x000000000A100000-0x000000000A1A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/3092-77-0x000000000A0A0000-0x000000000A0BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3092-14-0x0000000007D20000-0x0000000008070000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3092-73-0x000000007E5B0000-0x000000007E5C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-12-0x0000000007B40000-0x0000000007BA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3092-11-0x0000000007380000-0x00000000073A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3092-10-0x0000000007430000-0x0000000007A58000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3092-9-0x0000000006DF0000-0x0000000006E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-8-0x0000000006DF0000-0x0000000006E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-7-0x00000000739E0000-0x00000000740CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3092-6-0x0000000006C90000-0x0000000006CC6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3256-562-0x0000000006BF0000-0x0000000006C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3256-561-0x0000000073AE0000-0x00000000741CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3256-563-0x0000000006BF0000-0x0000000006C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3256-805-0x0000000073AE0000-0x00000000741CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3256-587-0x000000007F200000-0x000000007F210000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3256-585-0x0000000070860000-0x0000000070BB0000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3256-584-0x0000000070810000-0x000000007085B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3256-591-0x0000000006BF0000-0x0000000006C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4272-564-0x0000000002970000-0x0000000002D6E000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4272-804-0x0000000000400000-0x0000000000D1C000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4272-836-0x0000000000400000-0x0000000000D1C000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4272-560-0x0000000000400000-0x0000000000D1C000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4272-308-0x0000000000400000-0x0000000000D1C000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4272-307-0x0000000002D70000-0x000000000365B000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/4272-306-0x0000000002970000-0x0000000002D6E000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4272-1054-0x0000000000400000-0x0000000000D1C000-memory.dmp

    Filesize

    9.1MB

    Download