Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29/02/2024, 05:29
General
-
Target
6667e1ab4f79b6ed3869ccfa9cce86551d54cbfa4661a2350eee40e6a7a8faf5.exe
-
Size
4.1MB
-
MD5
79d4dff9174adc484693a231b3bd7af2
-
SHA1
63d80f54a2b560ef4227d6aca4934ae606f8b4a8
-
SHA256
6667e1ab4f79b6ed3869ccfa9cce86551d54cbfa4661a2350eee40e6a7a8faf5
-
SHA512
238935b8caf940db2045ff8adfedbbea5e3196a5544e297923e0f983ec69bc40242ce042038422da4ad961774e7f1f135f67022dbb1236bfd5b1a3a4a5a5d17a
-
SSDEEP
98304:xMzAMLpWeVBMfi1O79l3dk/dJxFamkHdK:xMzA2W8BMCq9RuxFAHY
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 19 IoCs
-
Detects Windows executables referencing non-Windows User-Agents 18 IoCs
-
Detects executables Discord URL observed in first stage droppers 18 IoCs
-
Detects executables containing URLs to raw contents of a Github gist 18 IoCs
-
Detects executables containing artifacts associated with disabling Widnows Defender 18 IoCs
-
Detects executables referencing many varying, potentially fake Windows User-Agents 18 IoCs
-
UPX dump on OEP (original entry point) 6 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6667e1ab4f79b6ed3869ccfa9cce86551d54cbfa4661a2350eee40e6a7a8faf5.exe"C:\Users\Admin\AppData\Local\Temp\6667e1ab4f79b6ed3869ccfa9cce86551d54cbfa4661a2350eee40e6a7a8faf5.exe"1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\6667e1ab4f79b6ed3869ccfa9cce86551d54cbfa4661a2350eee40e6a7a8faf5.exe"C:\Users\Admin\AppData\Local\Temp\6667e1ab4f79b6ed3869ccfa9cce86551d54cbfa4661a2350eee40e6a7a8faf5.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
-
-
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
269KB
MD5200a3c3c93eb00e0916f20a04c4c9a4b
SHA1ec294fe8c238cbbb3374a283bb54df97b7611954
SHA256416a362ad3b7a4dea3705193694d51773a56f207ea7f2ac65b8fc298dad264e2
SHA512f32a381187c0d49c603f91b4da81ea1eb76f854aa0bab29cb18125585a3b70ce18e1e744dd5980731910d8a2fa4aea083c77f0de1305f96a43bdf924da02af78
-
Filesize
219KB
MD50a164f9fd11e7d233f1dc1057a77d36c
SHA10dceb0ab08b721abc2ae1b2f33657bdb3f49782f
SHA256722f37a687a37e063e14d91f10f5e65966e5e85651eca0c48cfb11b1f9e69e62
SHA51230988e1836b04588c698731d7537b4e4b630199ad2acdf57fd11f389de38bdcd1dd113456d6c7fe3ad175d39b7d79cdd380210435857b43b591115590441a430
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
19KB
MD5b9e13859e90473c420650cf91b437767
SHA126fc4275e3347f3be6b7c861debfc7b7274d6ec7
SHA25675c2dec397a9c06bb52bf7f3498bc77da9581f6747352e7fe6ca7d2df757c60f
SHA512148e284536584fd1859abfad32039cd1057f2779b7a1d4f419d4785792be7e7369d9714ef8a9ab18153ad3700de27ae9f04026bbe454a02aed66c7279c338e29
-
Filesize
19KB
MD55bfd3c21c6f6cc4fe567e5a5d1e0e143
SHA1a029c780860f4b917a793dc402c8ccaa3712ec8c
SHA256696afb5c0ffa3fba95d3951e2885edd3961f150555bdf54e2287f95a2127001b
SHA512ac23777f3935c0ec6098cf04db6274939dbda5de5091a38e5d6d715ac343006c5c6b6c6e81305b9a3f6660b0e6145a514e6b489db24a1ff9d060a642536f5c59
-
Filesize
19KB
MD57231d01ce5f561d236cf45893c8f477d
SHA14f19990cd8917a63ece46e7827394afc2d0e4d0d
SHA25652eef7b6847e6d84e828d2eb22ca523e4cae3b37231e0aa016ae7abd96664ecc
SHA512f47b8182e43d2003ec0e699bd93517210ddd76ee3e801a0f54226372fc6c2e8f29396d66d74f1f36e87e7567351772979d92ee65c7c235e9e1c84dfeebe50dfa
-
Filesize
19KB
MD5ed62a6e1de580b6dd4fd3c1a37884b38
SHA192d3008a3a3b9f7a804cd6094f0b55434b6eab06
SHA256064a604a180ddd0e17ddcb185e012e3577925669c55100f561da963eebe2423f
SHA51249353b9de8c6c5e12772af9d6f2563781d83e26697c9dc02d6acebfb1fcb4f4fcf3945a789909fdec17c55ae3fdfb3680b6e0d7d4df27273c001b08383649c7f
-
Filesize
1KB
MD59c61860ccb7af38b73de23ef99b3113e
SHA1b3239466c78077dae7c958c7844438329457728c
SHA2567dab04fd2e5c618c56106a434490325c6059ed0d11f2ca2f455b7c76c9e3bfc2
SHA512456a6c3af75bd421bd90b8667da14223685c60cf4355939509b8d47a7390089a327e2467da59d771758f516e8f77da94c8d03b51dc15896ee5ef17e19d88108f
-
Filesize
307KB
MD5bbded64c46bc78fa38ccd36c4335e13c
SHA148394dee864b100893e1a126832d1fcce55bd353
SHA25686b16758723a3a3b347bd68b66ad5bfadc7ffda7ad2ca35cf4afc50fb4ca7bdb
SHA512729f618b35cdb5a5d19d11c4f7f3a23e98fc47f107d902109e4b9a53c689bf7c90965c81cb50a9da4a21daf749a4ae4a74e1c8f094b2e8b6228e36b93195959b
-
Filesize
273KB
MD5f562dc627f542ea654a8218ef58670b8
SHA1261f1fc1cfd8de244466b00dff1a97e7578ef51d
SHA25676aacce99c6dafbbedfdbfb21bbd8450d68eadb8da0ea167163902cf607947b2
SHA512154c5e19740bb258f5b729f8d62137313b5580a1a51f0c3f27962d2c38c9121c02f0cfe08a0f38fb0f8ae2d26b68e47f6a47939c39feb95af7a008ce28895d6b
-
Filesize
261KB
MD58569b9329cae46153afd3125d89d7a3e
SHA158dee1ec1df0c4828f97781fad7484669c7cb7c9
SHA25672e0b2a12b9bcbb2a4c954db56bd3e50080c7fd5fbd7c2ccf4558c06b72f27a2
SHA512abb4bfa8f6723285d9efa1496127a7ef60922039e6ca65790e5cfd24626148decef1a065744cdd6385be5fcbeaa939453a8f2c1654ac320854be793c119859f1
-
Filesize
54KB
MD5a96e16e0a76e3e5aff95232c221061d7
SHA18ea6a47baa242b2e7a3b70b5fddbf16fcbfadb95
SHA2567a1f1f10df572bb4779ec2055f333f350e24c7dc5c7d32141baabd78a95278b9
SHA5121b70de71468b2c1b377910fe0884ec08e91f0201c7f792ca47fafb6168a9a75c6ff73941afcab9042b3b1f3ae293ff7f99f2d9f1dcb6ebaa69fd250ddf911d5b
-
Filesize
285KB
MD5439a29ce1b6d5f463d250e9cc5bba30e
SHA122586a00c626c783bd96dcccfbd6c14af21bf3cc
SHA256dfdfa4dfa3034d16d7fcff86ea8177212b53dcdea4a6b64e205af3c73c696188
SHA512f7950c4f23ea38103f6bfcb5075d77ed95931b13a76f30283e0986379743d8fce5831fc56b65f734e1e3f70125574b918cf49d86554f61db982dced32a9d9241
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
45.1MB
-
Filesize
45.1MB
-
Filesize
45.1MB
-
Filesize
45.1MB
-
Filesize
45.1MB
-
Filesize
45.1MB
-
Filesize
45.1MB
-
Filesize
45.1MB
-
Filesize
45.1MB
-
Filesize
45.1MB
-
Filesize
45.1MB
-
Filesize
45.1MB
-
Filesize
45.1MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
8.9MB
-
Filesize
4.0MB
-
Filesize
45.1MB
-
Filesize
45.1MB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
652KB
-
Filesize
68KB
-
Filesize
80KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
216KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
652KB
-
Filesize
3.3MB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
472KB
-
Filesize
4.9MB
-
Filesize
272KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
45.1MB
-
Filesize
8.9MB
-
Filesize
4.0MB
-
Filesize
45.1MB
-
Filesize
4.0MB
-
Filesize
45.1MB