Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

0367b08d1b...c6.exe

windows7-x64

10

0367b08d1b...c6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0367b08d1b72bd3d0fdca7de187b9dc6.exe

  • Size

    4.4MB

  • MD5

    0367b08d1b72bd3d0fdca7de187b9dc6

  • SHA1

    8fb04d525032edd7cabaf50af9f493ee04c58a48

  • SHA256

    a951b0a48877f40e9630d1a4a8f5f37f8b376800e185d4c70e241917249cf48e

  • SHA512

    14d03cf0d3564a1337fca87c16ad1df08687c5daa431f406dc1492d00a0985333fd1f59e3c521b67211c7f25af60b417042ca88e3b436ffe4ebc4ab566af44f6

  • SSDEEP

    98304:8Iu065i558It90eELh3/9QAtK6QqASVUFhm7aRVpAvHfWK1kIqKlbSs5tT1gArJR:c0ui558I8eyh3VVCqARFhGO+OsoKnJdb

Score
10/10
gluptebametasploitbackdoordropperevasionloadertrojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 12 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0367b08d1b72bd3d0fdca7de187b9dc6.exe
    "C:\Users\Admin\AppData\Local\Temp\0367b08d1b72bd3d0fdca7de187b9dc6.exe"
    1⤵
      PID:3284
      • C:\Users\Admin\AppData\Local\Temp\0367b08d1b72bd3d0fdca7de187b9dc6.exe
        "C:\Users\Admin\AppData\Local\Temp\0367b08d1b72bd3d0fdca7de187b9dc6.exe"
        2⤵
          PID:3664
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:4444
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                PID:4816
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe /124-124
              3⤵
                PID:4944
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  4⤵
                  • Creates scheduled task(s)
                  PID:4740
                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                  4⤵
                    PID:5044
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 916
                2⤵
                • Program crash
                PID:3740
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3284 -ip 3284
              1⤵
                PID:1680

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                Filesize

                92KB

                MD5

                ab69c4c4f2a4cb1639193eda360e9b02

                SHA1

                f64bf39052207a29696c08187c3f93926f1325e5

                SHA256

                720f92eea10156eff606fb38ca1c77ec386674851e98756a3a2e116b7103c616

                SHA512

                e0f0604ee712f4182d2015a653eaca9964e952f9010abf81b7408536fcba84d4cf5b39c11f76d3a01c73d22084b7d54f201d44b3cb04935f48f0fb2d1ae5bb7d

                Download Submit

              • memory/3284-1-0x0000000004590000-0x00000000049D4000-memory.dmp

                Filesize

                4.3MB

                Download

              • memory/3284-3-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/3284-8-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/3284-2-0x00000000049E0000-0x0000000005306000-memory.dmp

                Filesize

                9.1MB

                Download

              • memory/3664-5-0x00000000044E0000-0x0000000004920000-memory.dmp

                Filesize

                4.2MB

                Download

              • memory/3664-6-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/3664-7-0x0000000004920000-0x0000000005246000-memory.dmp

                Filesize

                9.1MB

                Download

              • memory/3664-17-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-28-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-33-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-20-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-27-0x0000000004800000-0x0000000004D00000-memory.dmp

                Filesize

                5.0MB

                Download

              • memory/4944-19-0x0000000004800000-0x0000000004D00000-memory.dmp

                Filesize

                5.0MB

                Download

              • memory/4944-29-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-30-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-31-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-32-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-21-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-34-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-35-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-36-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-37-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-38-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-39-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-40-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download

              • memory/4944-41-0x0000000000400000-0x00000000027D9000-memory.dmp

                Filesize

                35.8MB

                Download