glupteba | 4641ab967c008d73785d344dd5cc99279da5d7271d9fe73a805ea2c218027b1a

Analysis

max time kernel
0s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b814afaa89cdf33bc32543afcc9c5bfe.exe
Size

4.1MB
MD5

b814afaa89cdf33bc32543afcc9c5bfe
SHA1

3023551ecb0e29fa6433360f2a0c51d68d472b6b
SHA256

4641ab967c008d73785d344dd5cc99279da5d7271d9fe73a805ea2c218027b1a
SHA512

df2b83af2dfc29b3ac1ab8187f501cac7a6f17989a39cf2963eb3a1cfe3e5e94ac2bcd73c32376c1d2ce26ffff0fa129f19117a56251d8f605619c3481094b37
SSDEEP

98304:TV1wO0l/3cW0ckMAK1O4y3hKDtaW+rPldA/YAjz+/JLqQ:Tbl0l0K1ehGgtdLW0JLN

Score

10^/10

glupteba dropper evasion loader ransomware upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

resource	yara_rule
behavioral1/memory/2400-2-0x0000000004D70000-0x000000000565B000-memory.dmp	family_glupteba
behavioral1/memory/2400-3-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2400-4-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2804-8-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2804-18-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2948-21-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2948-109-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2948-113-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2948-114-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2948-115-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2948-144-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2948-153-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2948-155-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2948-157-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2948-159-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2948-161-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2948-162-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2948-165-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba
behavioral1/memory/2948-167-0x0000000000400000-0x0000000002EE6000-memory.dmp	family_glupteba

Modifies boot configuration data using bcdedit 1 TTPs 14 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
576	bcdedit.exe
1552	bcdedit.exe
1968	bcdedit.exe
2896	bcdedit.exe
908	bcdedit.exe
1444	bcdedit.exe
1264	bcdedit.exe
1004	bcdedit.exe
1500	bcdedit.exe
2984	bcdedit.exe
1480	bcdedit.exe
608	bcdedit.exe
968	bcdedit.exe
1800	bcdedit.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2548	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000120c7-147.dat	upx
behavioral1/files/0x00050000000120c7-149.dat	upx
behavioral1/files/0x00050000000120c7-150.dat	upx
behavioral1/memory/1580-152-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2436-151-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2436-148-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1580-154-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1580-158-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2788	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2516	schtasks.exe
2696	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b814afaa89cdf33bc32543afcc9c5bfe.exe
"C:\Users\Admin\AppData\Local\Temp\b814afaa89cdf33bc32543afcc9c5bfe.exe"
1⤵
PID:2400
- C:\Users\Admin\AppData\Local\Temp\b814afaa89cdf33bc32543afcc9c5bfe.exe
  "C:\Users\Admin\AppData\Local\Temp\b814afaa89cdf33bc32543afcc9c5bfe.exe"
  2⤵
  PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:664
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2548
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      PID:2440
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:576
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1968
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2896
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:908
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1444
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1264
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1004
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1500
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2984
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1480
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:608
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:968
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1800
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2760
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:2036
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      PID:2756
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2696
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:2436

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240128182819.log C:\Windows\Logs\CBS\CbsPersist_20240128182819.cab
1⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:1596
- C:\Windows\SysWOW64\sc.exe
  sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
  2⤵
  - Launches sc.exe
  PID:2788

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab2E43.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
287KB

MD5
750d384dda43add0af3ec3490b69368e

SHA1
815db9efc106bea40f975c4bb8821f5e198b43c5

SHA256
4feffb02fc036e47e3019b8b4532fa8479bcefde5bf33d8d9e3ed0a96b718ff5

SHA512
439c35b96b17120fa95cb6723d99ed7dc4e425361bec0dbeae1032abd4792f9275277111ff41fd85b42a9e077a3d6f654592a5bf33ff85ed2ca3712963217fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2EE2.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
43KB

MD5
6697e9360e6d43577eaeb4564fb33d13

SHA1
2c3617aa6fb63b645ad17760a5879813349f326a

SHA256
52c9123bdddcb9cd6fca082ece35e03d636522c27f8dc8833ecb74df55da1d24

SHA512
9dd488d4cfb1ba578fa90a02c0cdb16d3dd5acff50a52fec71ea533163919947a6cd1f63b91890b3955f9c4e0fcd145631a8ad3e1a60ae9e9d8ca390f23273b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
192KB

MD5
8d5abc3b848b7983e9ce4666016b5771

SHA1
e2be8d87d147cf9bfca9c364d04b1b7683ceffd0

SHA256
e8b457f1e54ca70b5974f2a5ecd5dc2612bd006e1bfabd57168b444e3f8d0847

SHA512
3845686c373d11b893355d95d483f5a7e7e28f38b9ff289e9b3c86a1ec9c52a187e8659384483dd210ab5fee267f37e03c935eb8917af9839495ce8c8d6b3a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
133KB

MD5
1aff3918ec3aa32e692167054bbdc253

SHA1
100f8965a5d0367ff046c56fd4779dda530216d3

SHA256
5ea127f5282e97e119da9ffcd38bb2e11a068629c31d37ae31d72e4ec8b12502

SHA512
6139132b5dd9f8678c2badd8b41f067ce716618b449beaf761b854248558b4373aacdad0330a1f116433770632fc2eedb48d8ac475f5a15cd759a6201e1f1652

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Windows\rss\csrss.exe

Filesize
355KB

MD5
cb4a5cbe8822437c5d3e98e396ba8267

SHA1
9cb905f36d57ef1aaefaad6c6878b8f51f460b36

SHA256
68d118a039503a3bbb4b3195e2cace79ad3743596eafeb2d12ae5b2e18b7f0a7

SHA512
b32b845053c48a45c91a1f86090499cfbdd5136ca563d08cc84bf3d5db7a4d7eae961dd03aa83bbf4369127cad7e87671df76bb620e4aeaf6ed44e9390fc3410

Download Submit
C:\Windows\rss\csrss.exe

Filesize
409KB

MD5
fcbc145e550d729ed9e449ff66a1cb37

SHA1
b10015bba4999ff0d6e5cf57539e43fae89c1f87

SHA256
cd4b002d4667580ef920c6ab8373d21fc9361853297daeffca2566e6fe08f94e

SHA512
55517c30d7383ccf83b29d059e659bd31f76dd0bf66dd974f2599573f4b1dc69cca794623433ea34b46780852925612a3f57005e13334b166fc721df8a85d177

Download Submit
C:\Windows\rss\csrss.exe

Filesize
302KB

MD5
5c2cf3b6c5f7ea8a069f09d91ee9feab

SHA1
bd946dd4d40f230b83bd4e9b04c09f5d048999de

SHA256
7826ac6b4c0c66e0e5cc618136251ea4bb15d378395026b87450bd0ea156e258

SHA512
758bd690fed6c2a4f8e4645134cb15860e172d8fc725f2208f8295e89f4982ab4a8721b93fb3424c2e89180e8838649a8a729484619ae7cf1d2ea426fc38142f

Download Submit
C:\Windows\windefender.exe

Filesize
772KB

MD5
c67545d0e046ce49d470a1fdbef171c7

SHA1
61126993fe74e0b33bafbf38262009c7b77be363

SHA256
83beb4ef23b3676065246af537417df704166a9c9a644137a0b91eeebb8fe2b1

SHA512
be4f6ba3105091f6ce88ff26a5e887e707210f6e2eb2e773c5042754a64b7e6589d053645ee530a076b9996d569d719ea967f352fb90ee2b2dfc63c6ccf06a1c

Download Submit
C:\Windows\windefender.exe

Filesize
609KB

MD5
39cebed078ceab626d73946eac450446

SHA1
4daddee76bb9c9c74bedc60ad3e0b056b2db3690

SHA256
84e6b8718c7c3c0eadf2f046150ce4cba06ffb2672f3e0abdc1d70cc968057de

SHA512
37fa9825c16e8170677d9bd9cebf9b868e11384072bb4cac8aa7a77670cf02b0fe89ebd31136018a1efa7251c7c21f0271413bdd8f30b998f8524a6a68834efa

Download Submit
C:\Windows\windefender.exe

Filesize
868KB

MD5
2e4414fdeae9003c4572d47e7cda1b98

SHA1
2d66e6327da680dd6665253c0153764d79d8523f

SHA256
74aa1cf6d9f7a39155261cee4ccd244ccc7867471d6e279567ec88da33792b51

SHA512
fd699802e29746e0127fbafd56f118f353faa00dae54cb693596f4fcb691f05ebad015bc1baf46f67302015e433e9edf278d12894859b6f80981df17800b3849

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
28KB

MD5
77bdf0bd51cd7fb7bfefdd9ec75eeb80

SHA1
43d3cbbcc10b43b05ed3e147b248c2e901049d70

SHA256
f9257ef5dc485c0cf5125ef44834b87761df6739533bab18e23882fd9ada18fd

SHA512
62e037f8bc340ca4a5a2504197b2fb3ef88025d7895b87e30962cb4c5280a7176f236d44a5ef989e76f8cf5504eebbeab964ddfbc4d61ce7290c6e2456b8614a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
164KB

MD5
cf2b2c8f2507decdd1c8b2a88d342f68

SHA1
3e3c04fbf7e6b04152633f472e19877f96e65ad0

SHA256
f024b779e927a8495cd5cdcfb4b117881663506e7b8c82bc9330cd9070adb294

SHA512
2be017e697456195273f53e1f1660fc0bb579ccb28629fd3d1d85d6d36060bfb8358d334d9be0be7a57fd9759b20e361d72ef85ede9a4e00c382c8a798b51e32

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
80KB

MD5
3504dc18a9312512ef0655db9a682e88

SHA1
a7472abbfa43930d75e40fe76e9725536a2e76e6

SHA256
c95b9e9f124155145ee12a0b8516c4acc7d0e1d859e86364cd25e92c26aae110

SHA512
c5afc95bdb827efade87e4ffdbcd58fe8b653ab27269634ecde08cce3409fd7403c6ae145c6bcb3236b5336366242424c9b10a936412af26b40905f4cffccb8f

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
33KB

MD5
ee823487a94010486228db88651129a0

SHA1
a677436e0cbf428c309f3b12410c38719cad3853

SHA256
d57f23e80cf9209c0e1b3e749af97988c7d8ddebd8e9a4f15444f37e34afd336

SHA512
9f7584b78aa0f7e93d16200f6bca50cef5f8b5f11c416f5622c87b802d65914ba7cd33a006a50af1267ab856e301a630d7c051bc24a8c1d2bc72b1b7cf585704

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
193KB

MD5
31defd0444bdd6b166e7bba48753b1ad

SHA1
61ef8c486d81a5c4e49a4800d548de23ed54222a

SHA256
799fb390c071498c8ce7e8822a59cbad8a7216a04c3ac7ea49b27fb205287c1d

SHA512
f0c1b121fb32d748cc3d5f0de94f683433b7c055ebbce7f004c32bfbb0be89ce16f98c7ebaeae46a5e0d83da4d1f6bc082a0c6de7ca305f0a4c9f6c40aba302e

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
115KB

MD5
92c46760915443e19a7f026f9a6deb5a

SHA1
5ebaf174e9a1f35d1ea0c5826bc18daea8bb82cb

SHA256
05501a7ccef88e6b3715e18d10a5f8346b0163c482adec1b9ba0fe10f6c93aea

SHA512
60e3266536f86f31c182e659d4a8bea548eefa741ba78fa8c09a6f0da715de9ff68281a2dd984bbcae413bd51621541bb8590d066d98f75945239317104bfcfc

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
348KB

MD5
97118caea60e4fe7cfdd1f1a7047b1b6

SHA1
a222c39e4222ffd2ff639fb46b89ea1ffa84295d

SHA256
ed1e9ea1f0cba9a9169c9e7cc5d6b1dcef1e0d3a3f138df2830391f90d570c5f

SHA512
dd0f3eb087fd2d1d65d10753463e741397eeb229348c9b1cdfbff8e3ec615fa1ea21e5c1d8ecc5d082b52176c300ab74627b577835d04530c27cf29f08caef51

Download Submit
\Windows\rss\csrss.exe

Filesize
393KB

MD5
178bad9dfb7d37a576e1398ecf37eaaf

SHA1
7fb233cb1657ca4fe26218577c5293640e36b5dc

SHA256
9d39e16dbe20a8da05d22302c228d039f0f443254740e9ae794c65c18a06cf64

SHA512
25142267b1bbd340988426a805d0751cb18cee42d6d1be08fa10f77a45b8ede4a38f31f944aeabc50565e13d45477e6b7964b135ba8dcb9bf842824632f41d7e

Download Submit
memory/1580-154-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1580-152-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1580-158-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2400-7-0x0000000003100000-0x00000000034F8000-memory.dmp

Filesize
4.0MB

Download
memory/2400-1-0x0000000003100000-0x00000000034F8000-memory.dmp

Filesize
4.0MB

Download
memory/2400-0-0x0000000003100000-0x00000000034F8000-memory.dmp

Filesize
4.0MB

Download
memory/2400-2-0x0000000004D70000-0x000000000565B000-memory.dmp

Filesize
8.9MB

Download
memory/2400-3-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2400-4-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2436-148-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2436-151-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2440-41-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2440-33-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2804-8-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2804-6-0x0000000003180000-0x0000000003578000-memory.dmp

Filesize
4.0MB

Download
memory/2804-5-0x0000000003180000-0x0000000003578000-memory.dmp

Filesize
4.0MB

Download
memory/2804-18-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-144-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-157-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-114-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-109-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-113-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-115-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-153-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-19-0x00000000032F0000-0x00000000036E8000-memory.dmp

Filesize
4.0MB

Download
memory/2948-155-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-17-0x00000000032F0000-0x00000000036E8000-memory.dmp

Filesize
4.0MB

Download
memory/2948-21-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-159-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-161-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-162-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-165-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-167-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-169-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2948-171-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads