General

  • Target

    627b9922c12fa0d1158a61b52a807028

  • Size

    4.4MB

  • Sample

    240117-m9n9pseadp

  • MD5

    627b9922c12fa0d1158a61b52a807028

  • SHA1

    68154eb58bcaa23754c19ab592f6c141b7c4dcf2

  • SHA256

    39b205f0cf578e70bf4dd3f643e7853d5c93a95b78754c33e2c9e2ef80740d35

  • SHA512

    48e06058047cf0b041cde3032aa1f1019a342604f34e283aa0878487713976ef3383835959c9532602c883f685966d40c961fb799606000514aa4c81841933f8

  • SSDEEP

    98304:Kv5ymCkjWLCQ27ksJHJJybs5eVvRYqa72use3wFCNuD:Kvb8LF6Hiieb/a7n/XNuD

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Targets

    • Target

      627b9922c12fa0d1158a61b52a807028

    • Size

      4.4MB

    • MD5

      627b9922c12fa0d1158a61b52a807028

    • SHA1

      68154eb58bcaa23754c19ab592f6c141b7c4dcf2

    • SHA256

      39b205f0cf578e70bf4dd3f643e7853d5c93a95b78754c33e2c9e2ef80740d35

    • SHA512

      48e06058047cf0b041cde3032aa1f1019a342604f34e283aa0878487713976ef3383835959c9532602c883f685966d40c961fb799606000514aa4c81841933f8

    • SSDEEP

      98304:Kv5ymCkjWLCQ27ksJHJJybs5eVvRYqa72use3wFCNuD:Kvb8LF6Hiieb/a7n/XNuD

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies boot configuration data using bcdedit

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks