Overview

overview

10

Static

static

1

b79c2d817b...c5.exe

windows7-x64

10

b79c2d817b...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    12-03-2024 03:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b79c2d817b0ced7a0f16ebbb1a91defae311debe95bf3e54b8194003bb9985c5.exe

  • Size

    4.2MB

  • MD5

    89dbbd2f1461d68ee434f6892130a1b1

  • SHA1

    4e145e27f03fc19db5d148587fd58edabc5f05fd

  • SHA256

    b79c2d817b0ced7a0f16ebbb1a91defae311debe95bf3e54b8194003bb9985c5

  • SHA512

    32d909207414d3a2c92d1b856b24261ba5cfa9ac290a1ef32982684b788cc12aef480549a769118a59f6f14c5bcc6d862b61d4d9ab622ee7d16b9549ad865d08

  • SSDEEP

    98304:teW8UzsHIbLf9dWRHWVRhdNR5S1sJRNc/DhpLv/dFcsAkZ5z:q0L1dWRH6Rb9w/n3rVAkT

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencetrojan

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 22 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Detects Windows executables referencing non-Windows User-Agents 20 IoCs
  • Detects executables Discord URL observed in first stage droppers 20 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 20 IoCs
  • Detects executables containing artifacts associated with disabling Widnows Defender 20 IoCs
  • Detects executables referencing many varying, potentially fake Windows User-Agents 20 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b79c2d817b0ced7a0f16ebbb1a91defae311debe95bf3e54b8194003bb9985c5.exe
    "C:\Users\Admin\AppData\Local\Temp\b79c2d817b0ced7a0f16ebbb1a91defae311debe95bf3e54b8194003bb9985c5.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2220
    • C:\Users\Admin\AppData\Local\Temp\b79c2d817b0ced7a0f16ebbb1a91defae311debe95bf3e54b8194003bb9985c5.exe
      "C:\Users\Admin\AppData\Local\Temp\b79c2d817b0ced7a0f16ebbb1a91defae311debe95bf3e54b8194003bb9985c5.exe"
      2⤵
      • Windows security bypass
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:2492
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2068
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:860
        • C:\Windows\system32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2736
          • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
            "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system certificate store
            PID:1960
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2076
    • C:\Windows\system32\makecab.exe
      "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240312030539.log C:\Windows\Logs\CBS\CbsPersist_20240312030539.cab
      1⤵
      • Drops file in Windows directory
      PID:2688

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    3
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    4
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab395A.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar3B74.tmp
      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      Filesize

      1.2MB

      MD5

      5dfb78797711bcb5fc4f4e8a91477034

      SHA1

      9119fe2cefd35d64aea2167f990dd26bd70fd2fc

      SHA256

      7f79ce338da2aeb0e5536091383ad1566212c07cdaa157c3c29aeaf80a352aed

      SHA512

      87bfe2c414a4efba774c911f5ee8e8047bec4df2cee689b74d66588818701f3098348758512dde0afa63451958486e127d925bd975fa5486e704699312397d3c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
      Filesize

      686KB

      MD5

      186c3a2e6fd16cb05bd46cb1a41555e2

      SHA1

      ddfd25d5be90e54caa711a72aaa87d0f36eefb4a

      SHA256

      c812e29ec8438f6327f0ecb59bc662b0240cd63fa3390d2ca7fc24b55527b09b

      SHA512

      1acfe6318dfb40b4b4d63bb0883e6df91ab825dbfa4b95d05b44c1d2b199888d53aac8e14a21f9b3644e3e62dc801e656ceb95f9a34f605d35dd076c6b42eec3

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      1.7MB

      MD5

      f039386a3736fb98f13b67895482f7d7

      SHA1

      98606fcec92964d89646d26bb534fd1b415737f1

      SHA256

      42969bc3409df4e063c16863212b3002df7248e86b01d6bc0a13da572935e938

      SHA512

      83efe196895ce2762b33554e61773302098109a94d9ddded8bbf6b70d5c98dd3deaf5f79002032776c536b9234c61da046862a66128ce7bc353bdc8ffdec8817

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      1.4MB

      MD5

      8f9441286d306bdcd60cc72ace1c5343

      SHA1

      c3c5a264d9444592e14bc73782d4c0e13361d67a

      SHA256

      8c45099707e5123fff8a3e1ac491184f830fb28e47bc852199c2c433e52364bd

      SHA512

      79751ec7c02775e877194f2a383a21a739074c905b974fcd1f6f14ba362b85d30788c8777eaf066c50a86ac2c89f41b1d7486108d8524c992c0b194b0e8a03c2

      Download Submit

    • \Users\Admin\AppData\Local\Temp\csrss\patch.exe
      Filesize

      907KB

      MD5

      8554c27b903d9b125ecb1091ee715e7e

      SHA1

      6dcd24b83f03521b394a6751695df1133e5a8178

      SHA256

      bab77d2a3528768901cc33f83cd5ded2587c11fd74cd2cba13bea6972596b1af

      SHA512

      a752d555e38e24387824b19a68b9ae428cba162a333df40b7ce1c0208c65452ef879d98f7f9b023b9c2a3541cb2db9e2bb683483e762a3513ab3ad873b686fc5

      Download Submit

    • \Users\Admin\AppData\Local\Temp\dbghelp.dll
      Filesize

      981KB

      MD5

      1f34d1086a3e9fa864b8b0da50c29ca3

      SHA1

      c955e7841d1aed9ecb022eac4e6930643fdcbe28

      SHA256

      215bea33b9b9aee9de04f09429b2b0992332fa53659043b9a917820bd803448a

      SHA512

      2c947aa0ca361dcda3bca6478ecf87830d94ae67a1d6db564e3f0fc72fb3de59fdd10343756974c0dd15d1f44b052ecdae5902769382724622f58f84ac4fd904

      Download Submit

    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
      Filesize

      824KB

      MD5

      69bb459214115cbf049d76e9ac552e4a

      SHA1

      6315b5f166aaea2f68b9a91243e847e85de592a9

      SHA256

      3fc1abb3b4ab89f1886c06de86753fe2752c458541145dada49a55067cee0030

      SHA512

      736070262cd1103f23ebd0ebc880698872b994cc370ad81ee74b16a36f4be1a0c2c242a012461b4642cfedd05dde0c25a3532c8cdecd85a18c660d9d31debcd2

      Download Submit

    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
      Filesize

      1.1MB

      MD5

      b7bc592541685e18e43851a2987964b9

      SHA1

      035d0272518de286da97034eec089fd0bd90cd7a

      SHA256

      0daaf1987a41b3efa01eac06b78a1b0a20afe1538c1682622c471c8187a93703

      SHA512

      c17d1fcf30f6b97248d840d67f583072938ccdb69d7e02b0459bee0100ed26cb1010de316b6db1d4da33f7ec911f6a14eef33fd0c11b525919a7ce0b6cc24b53

      Download Submit

    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
      Filesize

      1.0MB

      MD5

      6a59d88c8f0d5f52c6fbee03329df1ae

      SHA1

      0a72f84d715ebca7aa58f652da1678cbe3dd48bf

      SHA256

      cb025f512d204d0c3d7a2cd3dfa3ac6ec5100341c5497362eb66850bef30e472

      SHA512

      b52dfe2be687e1eeb68c9b695ed53fe73f61802de1de0588e9aefda0d525927c35aaa24b0abef0cb0d5fd5888e15178bc00a7c528b684f865ff5ece66d1119f8

      Download Submit

    • \Users\Admin\AppData\Local\Temp\symsrv.dll
      Filesize

      163KB

      MD5

      5c399d34d8dc01741269ff1f1aca7554

      SHA1

      e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

      SHA256

      e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

      SHA512

      8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

      Download Submit

    • \Windows\rss\csrss.exe
      Filesize

      1.6MB

      MD5

      d5ef4ef30797809004b11c2ea06d168c

      SHA1

      1b39be251295aa604dac3fc6a5185a53596176ee

      SHA256

      093a923c3bef8eb8f09968a6a8fc016e273913f2fc0859bfb36dcddb192f7f7a

      SHA512

      bb5efe89c77e3e934bb47b32e714960316f3f75132c675d25d69184b2b93a53219b04cfb9cfe2c4025b5ccb2249134a37b286bb7d9423c9107da3c4c44960350

      Download Submit

    • \Windows\rss\csrss.exe
      Filesize

      1.7MB

      MD5

      d3ce643ee5ad2c6a4b9780e334470c6f

      SHA1

      f94dac40d90314aee2e1a8abc48ee9599f8c0806

      SHA256

      e36e8a679f1e3ea8283cf1fd58cac7657fc1bcc250705691f31c9eea7947de7d

      SHA512

      08dd216286bcac89d05b5e0c1efe36c41995277625b297342c16ed66461c30c9681c309aa3129eba56790d54d436975239d10c7247023dbd06b2046cca03a141

      Download Submit

    • memory/1960-33-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1960-43-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2068-126-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-124-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-22-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-21-0x00000000036D0000-0x0000000003AC8000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2068-128-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-129-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-118-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-125-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-19-0x00000000036D0000-0x0000000003AC8000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2068-127-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-123-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-122-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-121-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-120-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-119-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-103-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-115-0x00000000036D0000-0x0000000003AC8000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2068-116-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2068-117-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2220-7-0x0000000003B60000-0x000000000444B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/2220-1-0x0000000003760000-0x0000000003B58000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2220-2-0x0000000003B60000-0x000000000444B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/2220-3-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2220-4-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2220-8-0x0000000003760000-0x0000000003B58000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2220-0-0x0000000003760000-0x0000000003B58000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2680-5-0x0000000003580000-0x0000000003978000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2680-6-0x0000000003580000-0x0000000003978000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2680-9-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download

    • memory/2680-20-0x0000000003580000-0x0000000003978000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2680-18-0x0000000000400000-0x0000000001E17000-memory.dmp

      Filesize

      26.1MB

      Download