Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
27/03/2024, 01:23
General
-
Target
c6d48fd6191fbb63d5406226c4fc1e094ee30875056e7cf5e31828dab3b8b317.exe
-
Size
4.2MB
-
MD5
e8de534d36938bb16d424001824ba955
-
SHA1
24ba41919aff326fc46d33a2e5a14efb4f443a33
-
SHA256
c6d48fd6191fbb63d5406226c4fc1e094ee30875056e7cf5e31828dab3b8b317
-
SHA512
c4d995e3646f93f428e26106d8a10a18d760542f5029c46f7c5ffffa80c3c709eb654315e019c82cba0cafe883808a312565112998eaa5183a47e622913f6f2a
-
SSDEEP
98304:Jv0T1XT8Tbl9EdJLPOp4i7E1Yl4G/M6pSEC/z40cZl:doBQTbl9ETLOp1p4G/lSEMz4L
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 21 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 6 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6d48fd6191fbb63d5406226c4fc1e094ee30875056e7cf5e31828dab3b8b317.exe"C:\Users\Admin\AppData\Local\Temp\c6d48fd6191fbb63d5406226c4fc1e094ee30875056e7cf5e31828dab3b8b317.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\c6d48fd6191fbb63d5406226c4fc1e094ee30875056e7cf5e31828dab3b8b317.exe"C:\Users\Admin\AppData\Local\Temp\c6d48fd6191fbb63d5406226c4fc1e094ee30875056e7cf5e31828dab3b8b317.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD50e3eec74556edc0638b28a515d9fd67d
SHA12421abe39842e78b39ba15e5dfb7c63a8b58eabb
SHA2565e0ce22c28e9b85c54711fb01a0ac33005ec3e6d185ea1327d15584756cf17f7
SHA5126b5a328a638164999b95cc979a0cff2b9aa14e941672fdd9db72c83552050b1253585b81c6a3bf9c5c713649c1766e03e77280312b08572987df6b49ae3e8b1c
-
Filesize
220KB
MD5aad02a22d14cefd34b9991cd4266ccf4
SHA140c93deaa65f74549e049a2cdf43156acd146a0d
SHA256b742869526e9a076cfc2b7ecb3c886c506b7737df78918d5762ba906363c7e97
SHA5127592837a98384b13e17c3f12a8b0a8b009db735cec75e5e7b48cb64bb7695ba41e768975c3a96cd4cedde8fc5a5a10b314136a8bcda7a3d184ec53bb7f313f08
-
Filesize
2KB
MD5e38cf80ccd733d12acd8ed657fa76a0f
SHA1580e49e1b482dcf0480cefe6d5bf8f0331732296
SHA25647996c1354ee704ef75a94ae2217033da52695ca164573023cda951bdec728be
SHA512ed7056b56d6cd0fd42f9bb716c647ed21f988231aa0817f28be7fceab199a274a479af4e7b77b86ed298b6734b39c2e6714d46bd6bd408d9862a77d97013bc12
-
Filesize
19KB
MD59e316bc7217ad8fe4fc992e29a7c0f4f
SHA18e2e6ced44800cea6d8e9e102b8b7e3bf304cd27
SHA25693531a73da618eb9139c51dc69e59ca913c239b802515ef15c95688d033b1945
SHA5129f4514b3e55ae2d1900b50d062b4924728a2f7d5d8340376af12ff5298acfbc4db61fd433627f9eac71d2ea34a8a84d51650d0fbe1a97d3e2b8897fef6b8232c
-
Filesize
19KB
MD5b4819d6e722a6c487ec7912f5ff77388
SHA18c17a55780168c3bac3cd58db94b15cd444eaeb6
SHA256ac5bbe74712c4d1ffd014999b2ffc20db829748da934636627c791a2db059078
SHA5125f558441bc10e6bbb68e85d50347f6352468763a80b8d7a9728cc958ad628b4db6619c3a1066d928d1a5ecc41a4a6a58dcaf04d4ba0afdd520ca7ba463836dd8
-
Filesize
19KB
MD53ea3b336026f8f4dea2f81f39753d397
SHA1598016b0dd11cb23aa72a178a2685301f1e3164c
SHA2565046c02d6897ba84a01bdd8f15a1009c65dcc745806933ae9295baf21e0ef925
SHA512bfcd96d4a6394208c735c7af9e7c246b60216c6b74b703d763150b855b8f18de2c015667da2f7b3a9f96305bb6212898dbea6a59d330db60470a57ad9f59aa29
-
Filesize
19KB
MD5802b990ae482dd22dcd1c44cac71f08c
SHA1d1f6201c02ac10e64c2cbe32c48643f77750a65f
SHA25624b0c58c98f186e50558275fd0124a33c4be89609cf334afe885cbe52887f5a1
SHA512f7e788d1e06a76cd88364b530fa6ceaf94005b9cd3c8300537181c61a4fc5bb895d2b02d4e705037c43e5d6c507a0855a58284f07b6db9c48ee9e4094bf0bb1e
-
Filesize
189KB
MD51979823654f7b4340018a78221bcae49
SHA1fce03f97b192e48ea6824aeecd880e15bfe4cafb
SHA256c2f5bbc1fcdb6cf3ee44f565c0d1223620626ff17db362ee422f4874605e27d9
SHA512b7f7af93cafc211c8ff801516a08cc9658859b20450e70cb12d3b1c78da30653b735bd1ed16d485c1629472061eb767396132e42b88695c1d93e2a59b9ed745d
-
Filesize
291KB
MD517ef8fdf91e867b0d42e14ddeb3dd0e9
SHA11777a59382365c8c7c9190ddd83cfee7013a2f3c
SHA2563bc922452b386df60fbdaf7362915a75459c83ba119eb1d722686366ef993a6d
SHA512912694add62a2966349f2ec26f6500375d8ba44206e42ed3ddd11f57788f94e430008c1da4c8626395eb1e95e0c47bd2f462cfce5000db37647bc442d37b8ceb
-
Filesize
469KB
MD5f6d28bcb3c34aea6d16d1a4331869e52
SHA187e0699187dc6e52b9b7cc988dd71b7601e003d2
SHA256f86fb1d80c7ff9d096740b5b7fcbbca668a1761bfe158379ba185e5fc308adb0
SHA512da48b4af0519a592896b9b334899facca1f9303296f2afbf4313da16d0224e82792b8ec3d3baa63e784c67131c6b4815c3c84d7649912f7dae4c8561b07a118c
-
Filesize
419KB
MD501db2f6792b216c69ef13611082e0b13
SHA17a2c61dc0a93e3e22d858ebbc14f30bdc8ec705b
SHA2562b1c1120744fa90b18344d445ceb4f264abca116fee54b9ed6a30c12b7b17780
SHA512e7cc0aea0cee743793664d5d188a81b98e08e1995d2c7f995cd2f7fa737d34159b2a6c51581d79a1651df5f6b35a89a2b6643a77b53e030ba3cb156d703bf133
-
Filesize
433KB
MD596a025e7a1fe27a1e36a3cd618d34702
SHA134c655ff3e25415ed0ebc1f0f04706ee306241b8
SHA25655ccf1f572e46889f34afdfec06b85237c238468d0784e47c3decc5ba7ae52d6
SHA5127f2b9588dcf86bf9405616223b2ceca3ce6bed6816f085361b45eb11410f2241946dd4d4fc9f199d86501bb18278e9d4437d05fd389cffe46514209cd3e88f5a
-
Filesize
4.9MB
-
Filesize
10.9MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
10.9MB
-
Filesize
8.9MB
-
Filesize
4.0MB
-
Filesize
7.7MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
600KB
-
Filesize
6.5MB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
652KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
272KB
-
Filesize
3.3MB
-
Filesize
472KB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
652KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
68KB
-
Filesize
80KB
-
Filesize
4.0MB
-
Filesize
10.9MB
-
Filesize
10.9MB
-
Filesize
10.9MB
-
Filesize
4.0MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
10.9MB
-
Filesize
10.9MB
-
Filesize
10.9MB
-
Filesize
4.0MB
-
Filesize
10.9MB
-
Filesize
10.9MB
-
Filesize
10.9MB
-
Filesize
10.9MB
-
Filesize
10.9MB
-
Filesize
10.9MB
-
Filesize
10.9MB
-
Filesize
10.9MB
-
Filesize
10.9MB
-
Filesize
10.9MB
-
Filesize
10.9MB