Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2024, 00:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23a34008baa7ad1c6687cc4100950e298439b31671f99a61eedf68881e359489.exe

  • Size

    4.2MB

  • MD5

    91da42182decd02ae3032b5c22e2df43

  • SHA1

    e8036175e7c7a3ae2bb7a3370b6b86abe0dee0a2

  • SHA256

    23a34008baa7ad1c6687cc4100950e298439b31671f99a61eedf68881e359489

  • SHA512

    ca2cdda2d0608a195557edcdff3c90d7adb2ad10f12bf64eb06adbd816483cfc71f9a76e0907d692cb00347d110a25d34594208ab32d86b030fdcc9ad7a57b40

  • SSDEEP

    98304:uZ8PVCLVfwf6r7CwyG/HnVT/ODtpHvs0UYzukfA5p5Wsj:E8tCuG/1bkPUMvw3Wo

Score
10/10
gluptebadropperevasionloaderpersistence

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 11 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23a34008baa7ad1c6687cc4100950e298439b31671f99a61eedf68881e359489.exe
    "C:\Users\Admin\AppData\Local\Temp\23a34008baa7ad1c6687cc4100950e298439b31671f99a61eedf68881e359489.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1356
    • C:\Users\Admin\AppData\Local\Temp\23a34008baa7ad1c6687cc4100950e298439b31671f99a61eedf68881e359489.exe
      "C:\Users\Admin\AppData\Local\Temp\23a34008baa7ad1c6687cc4100950e298439b31671f99a61eedf68881e359489.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3736
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1784
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4380
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3992
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5072
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        PID:1700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ypjr4kc0.j4l.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    19KB

    MD5

    b9e4b939b77622165ef92b477ab835ef

    SHA1

    7c615bf8205054b2f7fee5e051ae65b0dfca571a

    SHA256

    33f1629b7565b11289e7c9992dca1334fc19affcf6820724cb8bbdb605a95c15

    SHA512

    376253efe66b927db9543cea03fc3cf6931a3dc98fbcd991dd013faaafb443520f46a2a027eaf85ed5dfa3ae3fa74cd87649f5700ea745c5ef333b893a23f9c7

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    19KB

    MD5

    959baf1089a5893c18cdcc0b5a807aa2

    SHA1

    aa451f9e80b51d65f87dfa1548c443e513648bca

    SHA256

    d76b15e1731c4b49c3c1340da1ff127438a07fbbf39d6f7b10ff454b73c84d00

    SHA512

    7ffc3ac2ca3550014822d4cc5639140ba750f572847e747e3fd4585bde88f9143187ede4505a7c7ac356fe23785c9fe133f360451b626d90cfb286cdf13c1eb6

    Download Submit

  • C:\Windows\rss\csrss.exe
    Filesize

    4.2MB

    MD5

    91da42182decd02ae3032b5c22e2df43

    SHA1

    e8036175e7c7a3ae2bb7a3370b6b86abe0dee0a2

    SHA256

    23a34008baa7ad1c6687cc4100950e298439b31671f99a61eedf68881e359489

    SHA512

    ca2cdda2d0608a195557edcdff3c90d7adb2ad10f12bf64eb06adbd816483cfc71f9a76e0907d692cb00347d110a25d34594208ab32d86b030fdcc9ad7a57b40

    Download Submit

  • memory/1356-56-0x0000000007850000-0x0000000007861000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1356-13-0x0000000005910000-0x0000000005932000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1356-6-0x0000000002B40000-0x0000000002B50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1356-7-0x0000000002AC0000-0x0000000002AF6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1356-8-0x0000000002B40000-0x0000000002B50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1356-9-0x00000000052E0000-0x0000000005908000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1356-62-0x0000000007870000-0x000000000787E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1356-14-0x0000000005A30000-0x0000000005A96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1356-20-0x0000000005AA0000-0x0000000005B06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1356-64-0x00000000078D0000-0x00000000078EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1356-25-0x0000000005B10000-0x0000000005E64000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1356-26-0x00000000060B0000-0x00000000060CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1356-27-0x0000000006190000-0x00000000061DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1356-29-0x00000000064A0000-0x00000000064E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1356-30-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1356-31-0x0000000002B40000-0x0000000002B50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1356-32-0x00000000073C0000-0x0000000007436000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1356-33-0x0000000007AC0000-0x000000000813A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1356-34-0x0000000007470000-0x000000000748A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1356-35-0x0000000002B40000-0x0000000002B50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1356-36-0x000000007FCE0000-0x000000007FCF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1356-37-0x0000000007640000-0x0000000007672000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1356-38-0x0000000070B40000-0x0000000070B8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1356-39-0x0000000070CC0000-0x0000000071014000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1356-49-0x0000000007620000-0x000000000763E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1356-50-0x0000000007680000-0x0000000007723000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1356-51-0x0000000007760000-0x000000000776A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1356-63-0x0000000007880000-0x0000000007894000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1356-68-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1356-53-0x0000000002B40000-0x0000000002B50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1356-55-0x00000000078F0000-0x0000000007986000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1356-5-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1356-58-0x0000000002B40000-0x0000000002B50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1356-61-0x000000007FCE0000-0x000000007FCF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1356-65-0x00000000078C0000-0x00000000078C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1784-101-0x0000000006FB0000-0x0000000006FC4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1784-88-0x0000000070B40000-0x0000000070B8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1784-104-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1784-100-0x0000000006F60000-0x0000000006F71000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1784-99-0x0000000006CA0000-0x0000000006D43000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1784-89-0x00000000712C0000-0x0000000071614000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1784-87-0x000000007EEC0000-0x000000007EED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1784-73-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1784-75-0x0000000002620000-0x0000000002630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1784-74-0x0000000002620000-0x0000000002630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1784-83-0x0000000005420000-0x0000000005774000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1784-86-0x0000000002620000-0x0000000002630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-109-0x0000000000D10000-0x0000000000D20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-106-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2672-121-0x0000000000D10000-0x0000000000D20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-123-0x0000000070B40000-0x0000000070B8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2672-124-0x00000000712C0000-0x0000000071614000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2672-107-0x0000000000D10000-0x0000000000D20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-135-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3700-1-0x0000000002D70000-0x000000000316B000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3700-11-0x0000000002D70000-0x000000000316B000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3700-2-0x0000000003170000-0x0000000003A5B000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/3700-3-0x0000000000400000-0x0000000000EDA000-memory.dmp

    Filesize

    10.9MB

    Download

  • memory/3700-10-0x0000000000400000-0x0000000000EDA000-memory.dmp

    Filesize

    10.9MB

    Download

  • memory/3700-52-0x0000000000400000-0x0000000000EDA000-memory.dmp

    Filesize

    10.9MB

    Download

  • memory/3700-4-0x0000000000400000-0x0000000000EDA000-memory.dmp

    Filesize

    10.9MB

    Download

  • memory/3700-12-0x0000000003170000-0x0000000003A5B000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/3700-70-0x0000000000400000-0x0000000000EDA000-memory.dmp

    Filesize

    10.9MB

    Download

  • memory/3736-110-0x0000000000400000-0x0000000000EDA000-memory.dmp

    Filesize

    10.9MB

    Download

  • memory/3736-72-0x0000000000400000-0x0000000000EDA000-memory.dmp

    Filesize

    10.9MB

    Download

  • memory/3736-136-0x0000000000400000-0x0000000000EDA000-memory.dmp

    Filesize

    10.9MB

    Download

  • memory/3736-108-0x0000000002C00000-0x0000000002FFA000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3736-71-0x0000000002C00000-0x0000000002FFA000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3736-168-0x0000000000400000-0x0000000000EDA000-memory.dmp

    Filesize

    10.9MB

    Download

  • memory/5072-137-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download