Analysis
-
max time kernel
2s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2024, 09:28
Static task
static1
Behavioral task
behavioral1
Sample
5f8adc5247685228db6a92ca9f38f667.exe
Resource
win7-20231215-en
General
-
Target
5f8adc5247685228db6a92ca9f38f667.exe
-
Size
4.5MB
-
MD5
5f8adc5247685228db6a92ca9f38f667
-
SHA1
d02e0de48708042b7d4524be3b1cb1b2c5a63d27
-
SHA256
1d3b1052852b5248241435db8754373ea350b9d9a6980fa89fb5cc3eb07eb45a
-
SHA512
e0c9a00d7e2a17d3b3411e44661992320c4c682cbe16dcee64f394656acf9459848b42bb106e49c81fdc30ed19b592c07f6393e98431d6b815cf8bd661a30523
-
SSDEEP
98304:R6tu0kYaxx1CvLJcAC7eSs16YFa89rPkFZd3lVL:R6t2Y+TAC7eKkr9rMFz3
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba payload 17 IoCs
resource yara_rule behavioral2/memory/1824-2-0x0000000003010000-0x0000000003936000-memory.dmp family_glupteba behavioral2/memory/1824-3-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/1824-5-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/1824-6-0x0000000003010000-0x0000000003936000-memory.dmp family_glupteba behavioral2/memory/1296-8-0x0000000003030000-0x0000000003956000-memory.dmp family_glupteba behavioral2/memory/1296-9-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/1296-17-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3364-21-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3364-22-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3364-29-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3364-30-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3364-31-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3364-32-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3364-33-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3364-34-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3364-35-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral2/memory/3364-36-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1184 netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3316 1824 WerFault.exe 15 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4368 schtasks.exe -
GoLang User-Agent 4 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 38 Go-http-client/1.1 HTTP User-Agent header 39 Go-http-client/1.1 HTTP User-Agent header 40 Go-http-client/1.1 HTTP User-Agent header 20 Go-http-client/1.1
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe"C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe"1⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe"C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe"2⤵PID:1296
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:4120
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1184
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵PID:3364
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4368
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:4012
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 6922⤵
- Program crash
PID:3316
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1824 -ip 18241⤵PID:4452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD508afd979d253be886cc23648f27b543b
SHA183a92fff16753e371fa3172ae906a86f409cd57b
SHA2560124d95f9a69540aade8e612ce96108d40c8dd2a9ba6f0fb057c88920a09c307
SHA5128050c8f9d4bebe878936e0ddc4c5cda089e3476cf61101a3cc88592fa7d960f6466b0d44682f056456585f98a6ef6fe3ccd52200cd1c8b7ab168d26b904d77b7
-
Filesize
117KB
MD5d689b6e8f3e429e69c5065fe32917187
SHA1b72b4a78d8c6a50f99b13a44e092757ed2c4059e
SHA25661bb5ec184c1d483131162afedc892a34b1c28513e6deeae4a52aef9f189eb11
SHA5121b62f0aac9f7a7aa3bcf8abcc314d52ea7fc8341f79e1861953707ef054a59023eedfd1e78f54927515a0dd63c8479e23d39a8a24a2064af62041e2f7202ea9c
-
Filesize
117KB
MD59b45493f2c7aa5f3748b94bdaec93938
SHA14318d18b9a993303ebf4de61fb7fc56a3e83e2b0
SHA256871ac3759c104f4feb13f18eb0743021cfe2237ed741151003f1f345244a4b91
SHA512b8d62e2ba73e1e93028d94e0e37704f0af8ee87d02253d2252e610f3d3605839b60e2c507da82d3d137e421c5c3ee903082eaa87912a36c5834f4c9ccee11edd
-
Filesize
100KB
MD55e819a1899d48715c579730cfbbc5e6d
SHA19df020ed8a30355f488117204750b42f4092422c
SHA256206ac381ed9f36920bdf8d43ce0e2fd7cb40f8fb6e2013f92dd09b2d587e2d8e
SHA51221d580e08b291197318401bb320216a5c20581a80665e886eda879dcb4b639c3caa36c143ea718708d6f9981b24de95631b165001541b59d0ecd5267e63784a7