glupteba | 501588291bc3c786ac2ed9f7aa499868598d53383d07a9be5be76c386ca51544

Analysis

max time kernel
0s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/01/2024, 15:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

501588291bc3c786ac2ed9f7aa499868598d53383d07a9be5be76c386ca51544.exe
Size

4.1MB
MD5

2e9500d61872b5d0ecab1fcd1816a7f2
SHA1

476843d9fdcf68be91a1c2ae3fac40d938c521bf
SHA256

501588291bc3c786ac2ed9f7aa499868598d53383d07a9be5be76c386ca51544
SHA512

189f3b84bbbe90339ddcd917b5d3003d397578a73632beb3bbee36b868c4baea7e2cc95119843b524254a066948aef843736eb3eb46c1e211318f7c9a52eb4e4
SSDEEP

98304:jnDxDynn2HvxGAPnSV1Ywzt/74819SmvpEDTxeMn0j4Y+m32:nNq2kAv1wR14mv4A4hmm

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral1/memory/2520-2-0x0000000002A60000-0x000000000334B000-memory.dmp	family_glupteba
behavioral1/memory/2520-4-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2628	netsh.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
1608	bcdedit.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1684	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2556	schtasks.exe
2732	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\501588291bc3c786ac2ed9f7aa499868598d53383d07a9be5be76c386ca51544.exe
"C:\Users\Admin\AppData\Local\Temp\501588291bc3c786ac2ed9f7aa499868598d53383d07a9be5be76c386ca51544.exe"
1⤵
PID:2520
- C:\Users\Admin\AppData\Local\Temp\501588291bc3c786ac2ed9f7aa499868598d53383d07a9be5be76c386ca51544.exe
  "C:\Users\Admin\AppData\Local\Temp\501588291bc3c786ac2ed9f7aa499868598d53383d07a9be5be76c386ca51544.exe"
  2⤵
  PID:2488
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:1016
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:3052
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      PID:1980
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:2100
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1608
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2732
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:2328

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240102155536.log C:\Windows\Logs\CBS\CbsPersist_20240102155536.cab
1⤵
PID:2900

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2628

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2596

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1980-36-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1980-44-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2328-137-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2328-140-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2488-20-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2488-10-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2488-5-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/2488-21-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/2488-8-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/2488-9-0x0000000002A90000-0x000000000337B000-memory.dmp

Filesize
8.9MB

Download
memory/2520-2-0x0000000002A60000-0x000000000334B000-memory.dmp

Filesize
8.9MB

Download
memory/2520-6-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/2520-4-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2520-7-0x0000000002A60000-0x000000000334B000-memory.dmp

Filesize
8.9MB

Download
memory/2520-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2520-1-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/2520-0-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/2596-143-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2596-141-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3052-75-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3052-114-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3052-115-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3052-116-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3052-117-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3052-118-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3052-127-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3052-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3052-129-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3052-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3052-132-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3052-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3052-113-0x0000000002840000-0x0000000002C38000-memory.dmp

Filesize
4.0MB

Download
memory/3052-24-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3052-22-0x0000000002840000-0x0000000002C38000-memory.dmp

Filesize
4.0MB

Download
memory/3052-142-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3052-19-0x0000000002840000-0x0000000002C38000-memory.dmp

Filesize
4.0MB

Download
memory/3052-144-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads