Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
-
submitted
11/12/2023, 20:19
General
-
Target
8671c7b39a7608e8f54ed9f63c3b3d2df46e82636a988f5e33a687830d673149.exe
-
Size
4.1MB
-
MD5
be9821ba3c2c7d786f9db4e4ac9df37f
-
SHA1
37a30094c2deec3089226cd0ac18858f48034889
-
SHA256
8671c7b39a7608e8f54ed9f63c3b3d2df46e82636a988f5e33a687830d673149
-
SHA512
bf39aa4c5bf6ad7c87e5e11d4cbcf142c67c09ec12ba3732b53b98b4bf3e2c6919acb317e982b7776d2229f9f36bf293bfb3cc5a8f9cff147b237685af660d10
-
SSDEEP
98304:47fDq1cl7yDjWm9OMOtVg6RiH4abJMn4w8pLvKUWHG8EeRinbyS:4fqWgFOf344aNM6r8r2byS
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 23 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8671c7b39a7608e8f54ed9f63c3b3d2df46e82636a988f5e33a687830d673149.exe"C:\Users\Admin\AppData\Local\Temp\8671c7b39a7608e8f54ed9f63c3b3d2df46e82636a988f5e33a687830d673149.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\8671c7b39a7608e8f54ed9f63c3b3d2df46e82636a988f5e33a687830d673149.exe"C:\Users\Admin\AppData\Local\Temp\8671c7b39a7608e8f54ed9f63c3b3d2df46e82636a988f5e33a687830d673149.exe"2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
Filesize
18KB
MD5be7ff583be3682ae7e0d23512535e889
SHA19960aa44abc3be8930e4170997a0af1c24cee8ba
SHA2563a48d9a46e824499c0f45ba63d6432773287b4b117f581b0c1051c3c82e037d7
SHA512733c2a617cd5244d4105ce849bc20bcd0351f8499d4b7f281f8193c61e5b9de521ae71f7ca603629f535af1232d0c91d784f7d08c23d2ae06ff1fe738d723828
-
Filesize
18KB
MD5593b6e89d18b76c4ff7cfeb26cbf22e1
SHA197381242cf4451b1eb2358770612402e46c956c1
SHA256d749ead750f18c2033919c3ae0d174419bbbf8eb1c45cc1805ccff56fcf87d5e
SHA5123573ae595508842755a20a48b5f777727f6cf7ffb89fdce71cb1919d3b606a6ac96c9a62b7d1ea01b245808dca6ddefa2d40af0cc51cb2fb3282a86c5c838e31
-
Filesize
18KB
MD5839aa6130fb10d1a46f635f1f8c5d1fe
SHA1101ae821c2810e7cc7d8365a0aa1f60f2a5fcf95
SHA256d69e4b5e7a1b7970a4af24ba0b72271ae7cd062ed5c1f6f7d24884a16e5bb004
SHA512c68906b8d3ef3828cb4406ef05b4d312035c06de99de3af759ea712008a437a6995750caba409bca9ed0c9d6751224d35d4b265583a30e9486bacd3ed331e4aa
-
Filesize
18KB
MD5ed35c5db15ac24fab2e91a32e5b8e91a
SHA14d422fe10584850a8509286380c4b09fb8274cf2
SHA25667590c1265641cf1239202b555da3d624cb0c79f04775683bbed5a54042d0c23
SHA51226d3ba849397f7498d856593f0a1334ac7c1614ea7cab9e3838e303539d7421bdf5e8ed80ba01a668e35f66d41e604cd24ff11ec4199636f7062f6558c342835
-
Filesize
18KB
MD51456bb707322b6d9356e1fe074c0402f
SHA168249bb2dce0c21233c010fc4cc5149c967f1fba
SHA256841001e562b1c9c394e4ff482db8c88f034db8840bde7d40aabc56d981874a73
SHA5128197a5b9ab1ce9d792838084a831a24067a40df40005cf8867569a56d8537ea3b850c82c64260368c49d854c7de89c8ecc92321fbe53185e85d771ac57e165bc
-
Filesize
4.1MB
MD5be9821ba3c2c7d786f9db4e4ac9df37f
SHA137a30094c2deec3089226cd0ac18858f48034889
SHA2568671c7b39a7608e8f54ed9f63c3b3d2df46e82636a988f5e33a687830d673149
SHA512bf39aa4c5bf6ad7c87e5e11d4cbcf142c67c09ec12ba3732b53b98b4bf3e2c6919acb317e982b7776d2229f9f36bf293bfb3cc5a8f9cff147b237685af660d10
-
Filesize
4.0MB
MD5c146842b6528561124af628b3dee4ff2
SHA15765dfe5f3a6cda2bed6e871b7cde205b0bd541f
SHA256a26f6e5e494f84abe33b1d2602a67f594da97ee067abaab4389886305bdfda86
SHA512ee3bed408e8ebd3359d8575b2b46614e9262cb85affd8c6fd86b95f427c2ba4040d92b7589e2a4c1b9149d323f8666139f70a2850c7cd79134d41d65c6ccb3b0
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.9MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
6.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
660KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
592KB
-
Filesize
64KB
-
Filesize
660KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
204KB
-
Filesize
300KB
-
Filesize
472KB
-
Filesize
240KB
-
Filesize
300KB
-
Filesize
112KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
216KB