Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

5c4a2bfc41...c1.exe

windows7-x64

10

5c4a2bfc41...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    2s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2024, 05:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c4a2bfc412603a57e770cb9129598c1.exe

  • Size

    4.4MB

  • MD5

    5c4a2bfc412603a57e770cb9129598c1

  • SHA1

    1c2a416245ffcc5e61ef47f72c0216075ca5ce95

  • SHA256

    b7ba0c0a6d055683da95cbec459739f13f6d0499f25b35ebeec2c625dc770b3e

  • SHA512

    cce3a36565e36c7a88dcb4e782937619ee94bdc457be311e62bdd9b975583b64816e7fa95db117bbf028f5f0b95dbb43f972cfcc4283a53047cbf112beb9b091

  • SSDEEP

    98304:YRRqu5E4LwYYX93bjAoXn5J2bdQPHw4lPmhQeHpNgpGPEoqE:YPq4MX93b8wn5YbdQvw4lPmhQeJNAGPh

Score
10/10
gluptebametasploitbackdoordropperevasionloadertrojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 20 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • GoLang User-Agent 4 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c4a2bfc412603a57e770cb9129598c1.exe
    "C:\Users\Admin\AppData\Local\Temp\5c4a2bfc412603a57e770cb9129598c1.exe"
    1⤵
      PID:1620
      • C:\Users\Admin\AppData\Local\Temp\5c4a2bfc412603a57e770cb9129598c1.exe
        "C:\Users\Admin\AppData\Local\Temp\5c4a2bfc412603a57e770cb9129598c1.exe"
        2⤵
          PID:740
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:2696
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                PID:4888
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe /93-93
              3⤵
                PID:3344
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  4⤵
                  • Creates scheduled task(s)
                  PID:4384
                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                  4⤵
                    PID:4484
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 652
                2⤵
                • Program crash
                PID:4120
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1620 -ip 1620
              1⤵
                PID:3328

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                Filesize

                281KB

                MD5

                d98e33b66343e7c96158444127a117f6

                SHA1

                bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                SHA256

                5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                SHA512

                705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                Download Submit

              • C:\Windows\rss\csrss.exe
                Filesize

                1.0MB

                MD5

                4b2bdabacd56f7ace658742c17a7227d

                SHA1

                3e37549e2124e5fed356486b253f3ab8647edec0

                SHA256

                eb138bba6beccb8e4b047cfc09ba617048f7af16ea832dab69c680dbc00b4627

                SHA512

                44501e59e49b587a7a93418c16ad34be0f0088e78678eee6f4e7f5e72c198e3654521473f93096706ce4234af522c7d6eab78148d9497752e6a5b8a9b6ae9404

                Download Submit

              • C:\Windows\rss\csrss.exe
                Filesize

                881KB

                MD5

                9020d48ff0929fd4c3a79e8ac54d8cbf

                SHA1

                b8e642f5f704e17cff1a3dd0e187ce0e9bcc75fb

                SHA256

                4416aea2dcfb3584dd84a0e1caa794c86494f575b1e0e30151843bb49c2c164e

                SHA512

                d8a57b2c0ef321b3f9699410fbf3cd104481ac3a964d470664247c276ec41e1f0d93a60af5531caa6085a297128cdbc26a35d44595b39a3953e1485147a6594a

                Download Submit

              • memory/740-7-0x0000000004EB0000-0x00000000052ED000-memory.dmp

                Filesize

                4.2MB

                Download

              • memory/740-8-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/740-16-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/1620-2-0x0000000005190000-0x0000000005AB6000-memory.dmp

                Filesize

                9.1MB

                Download

              • memory/1620-3-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/1620-5-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/1620-6-0x0000000005190000-0x0000000005AB6000-memory.dmp

                Filesize

                9.1MB

                Download

              • memory/1620-1-0x0000000004D40000-0x0000000005184000-memory.dmp

                Filesize

                4.3MB

                Download

              • memory/3344-27-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/3344-33-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/3344-20-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/3344-19-0x0000000005200000-0x0000000005700000-memory.dmp

                Filesize

                5.0MB

                Download

              • memory/3344-28-0x0000000005200000-0x0000000005700000-memory.dmp

                Filesize

                5.0MB

                Download

              • memory/3344-29-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/3344-30-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/3344-31-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/3344-32-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/3344-21-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/3344-34-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/3344-35-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/3344-36-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/3344-37-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/3344-38-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/3344-39-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download

              • memory/3344-40-0x0000000000400000-0x000000000309C000-memory.dmp

                Filesize

                44.6MB

                Download