Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
-
submitted
12/12/2023, 07:33
General
-
Target
3bdfa12d553a120e1dd59adc6e63dba4318029f7a5f789570be758dfde8d8c4f.exe
-
Size
4.1MB
-
MD5
f6a1801ce2341bdcbc3e3469447efd7b
-
SHA1
5ae305f1a8af53f9fde87219f5b6d06635c07c8b
-
SHA256
3bdfa12d553a120e1dd59adc6e63dba4318029f7a5f789570be758dfde8d8c4f
-
SHA512
b53e0ca7a668e16fda0313d44cd91a9d80648fa8af17a0ada54e0fc9f80a44b8a286d2c98639c2cab552a63741d0ec4a6a2b792c20ae447e9d4b6c725a7e39b8
-
SSDEEP
98304:3MAv7F+cnt9SKJak3z8N3urTbkgPnxaiePHwNQU2t1VLE8c59b:3MspSKkSz8RurX1nYiePHwNQBVpYx
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 19 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bdfa12d553a120e1dd59adc6e63dba4318029f7a5f789570be758dfde8d8c4f.exe"C:\Users\Admin\AppData\Local\Temp\3bdfa12d553a120e1dd59adc6e63dba4318029f7a5f789570be758dfde8d8c4f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\3bdfa12d553a120e1dd59adc6e63dba4318029f7a5f789570be758dfde8d8c4f.exe"C:\Users\Admin\AppData\Local\Temp\3bdfa12d553a120e1dd59adc6e63dba4318029f7a5f789570be758dfde8d8c4f.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
19KB
MD5806899e5c98299859ce06cec597fc490
SHA1f9f0feef740e6596c8f25a693f4bb75a07c01aa8
SHA256e4e50e0e450770139b6fffd23cb74c349b107b95d6350d6948348d62eb26a049
SHA512aa3fbba8a6ddd77628709ce1bfd806067873c84d4455fd38b7d4d99e7ac539fb7a3d4845cb2224f998ce910ffa2b799773c87d525808ffa78f0ba3e2d37efc1f
-
Filesize
19KB
MD5f3d5640ccc9f36f4ac8bb7ca09e0e22b
SHA1b6b2bf402b68fd74f33cf0837354396b84d3866b
SHA256bf57adae7a9304c8e732f859dd1b3ed6909db9399b6448d896e88c4d79a20ffc
SHA5128c7447ade82b4eeac15a449416852b9abdf05c89e73faae1d807016d7fc59c7c9ad6379d3202021dc8c12c98d0ba4edea0d33481d45e2156a02cf21420778ae6
-
Filesize
19KB
MD57aaea683c11c210ccb747f6f154a4632
SHA1ee1ffc04857d66483528b4bb9ad95818aaa25f1e
SHA2568a478a58c5f251464a71d94b9023b89e2c5e692dd013bca8cf5f38d6df49daec
SHA512d3015f2542b595b9f5f85d93655825b6eb6f406b3af020043b739f4266335998b312948540b6ed73bd9dc4b54571c80007d250d485c70ee56c8bc3defa2e361a
-
Filesize
19KB
MD5d68dd9891b8b9609c430dd70fa9881e8
SHA1fd1ce8b9d533ff1aa0c2eccd346697a8dcabd227
SHA256a109eaa60b144174ccb3e87f961654faf96ce35cf6a1a070d6fcddf021ccbf93
SHA5120c497662bee7105ede3d68efab455611a798c9a70d15f1aea68bc66fa564108791592c27798ec9bdba2bef169350ca6a4398b944076d3397fee04b6b3ba92764
-
Filesize
394KB
MD555240a4399915871bea42df8c6a7e667
SHA1d1ad68cd870137bb08da34fa442e29cd6e9d6f8b
SHA256a6e40b861ce0fa84ab0243bf65a72c4f597e73146d0e74bc67a0856dc6a20cf4
SHA512b43907e7bd1e86648c58c0b4c034932a28b68d90e5658515ebb03ab647a0f568cddf7256833d5a23277c6369fbf91a085eff4ceb28dfb8338c7f8f225ccc638b
-
Filesize
213KB
MD5bc10dbaad3a69dc0efa9f1ed6c1f53d9
SHA166055d29ad65a43b92ef7ae11e70b212fad31dfe
SHA2561286f9a0ce142fa8684a65336ad3fa417a5012f767b61e2ae515a112afd31d25
SHA5128e1af7b18d0a16e44a9d7994723c2367eb917a5daa03de4c71ce5b4cc6ebd79a61300b65e87b10de10c4b05c92fd43949be4db13c125ca99f075979b43e1284c
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
3.3MB
-
Filesize
216KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
68KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
272KB
-
Filesize
472KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
6.5MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
652KB
-
Filesize
68KB
-
Filesize
80KB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB