Analysis
-
max time kernel
150s -
max time network
165s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
19/03/2024, 18:47
General
-
Target
e162841da8a7b9c4e6a57c056e665f916db3310a6d32e5ee2f2eefa5fa591a94.exe
-
Size
4.1MB
-
MD5
7f0a33a7939522d86e16a43e6068064d
-
SHA1
847bf9cd9081923ff08d481c017c16661f19bb93
-
SHA256
e162841da8a7b9c4e6a57c056e665f916db3310a6d32e5ee2f2eefa5fa591a94
-
SHA512
138823928af1d84b2afc7a076d4197995de5eaa5569a4e948c0e6d3fa59e5b0eb007cecafde15562b57b57f586ef71502dc5d0f072ea55853e6ad2f55244c165
-
SSDEEP
98304:HKXyE8In0O6SJhzK5n/PpvlNSCo+wC1w3rVx3yg+nm:Tb2UnF6Co+wC1Mx+nm
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 20 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e162841da8a7b9c4e6a57c056e665f916db3310a6d32e5ee2f2eefa5fa591a94.exe"C:\Users\Admin\AppData\Local\Temp\e162841da8a7b9c4e6a57c056e665f916db3310a6d32e5ee2f2eefa5fa591a94.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\e162841da8a7b9c4e6a57c056e665f916db3310a6d32e5ee2f2eefa5fa591a94.exe"C:\Users\Admin\AppData\Local\Temp\e162841da8a7b9c4e6a57c056e665f916db3310a6d32e5ee2f2eefa5fa591a94.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
Filesize
19KB
MD5c6410647568e90bc113f02a9d39a9662
SHA15789e1450b2fe756209d300147d4c26209a481f9
SHA256e6f26b710677eb3c5eb80c69a4926c40b984ce834ef0ac5a8f2d282559e37c99
SHA512d4e5a733c237bfc45dc91e75cc62ccce3065db6b34948ab097eb49119e165f9fc5c72352afbe5468085916142558d93ad8617d8bd33f3555087ef99b630e048a
-
Filesize
19KB
MD5cdbff7effaf49cdaa2bbd8314d54ab1b
SHA177f0b6f97151c1043e34248e6d33cbc39d4fe33c
SHA256c2f80e1da8f086e6af4b5b76bb41b5f3f0dabea4703f5bab6976ff47ff988af9
SHA512f6d780f25855b36b0f1061393f621cd9e9c3f8e196866b7ed625c98ac5a5b57495d33c3e5b5635ffd1b6bf0bfa38996f00a7ad212da72338e829ce194ff3609d
-
Filesize
19KB
MD5a6143ed838546f3f227589964a0c00dd
SHA13afaddc00c58e573edd579120f4cc3793a9621fb
SHA25663d360c051cad4e4c3a39d6ff2315128246b5ee6651fc5dea048d413d046b5d2
SHA5128ac5629ad5ce9c0a6c54ee6384fe11c98ccab435c323a3c92a1bb8e249cd28daab05bc536a9931f05f3f2dd1cdf0147a6a31143911f9af0717446bf53a155de4
-
Filesize
19KB
MD5b94030c86ba7fc85bec0f082d2b47db0
SHA1c6fd639cabcca62085499682ff05ea27dddf8678
SHA256d6506306870804354816e9ea0e00c05285f3db8c2d5a773c795f8cb35d3b66f8
SHA512a65ad237ad8202f0e4c8107ea376eeea7884fbd9c6999b37e22aa6a26103ea4fb01f23aaa527e9656fa9c5cd359d9c949f707f868f37cd5d9eb7e65e12ea5993
-
Filesize
19KB
MD589714a20518e321fdd04ba9b91597e97
SHA18b1cbcbb45bd92369a4bb8317aa33516c0fd07d4
SHA25635d0d6f4febbe4e472d111a2d25d7406076a24f8df9abd8960dfd7bb9ee290e3
SHA512a1887c35231d42fb6e10adf7593fd371be699a13d58d22a140eaa8c02487f05da382ac1fd05c7530a435855276ac3e306887cd1c80d05ce88634a2df805c41a3
-
Filesize
4.1MB
MD57f0a33a7939522d86e16a43e6068064d
SHA1847bf9cd9081923ff08d481c017c16661f19bb93
SHA256e162841da8a7b9c4e6a57c056e665f916db3310a6d32e5ee2f2eefa5fa591a94
SHA512138823928af1d84b2afc7a076d4197995de5eaa5569a4e948c0e6d3fa59e5b0eb007cecafde15562b57b57f586ef71502dc5d0f072ea55853e6ad2f55244c165
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
6.5MB
-
Filesize
84KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
656KB
-
Filesize
208KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
280KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
304KB
-
Filesize
84KB
-
Filesize
64KB
-
Filesize
68KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
656KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
9.1MB