Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
-
submitted
27/03/2024, 11:05
General
-
Target
dd529fcfd5e17bb7238c9dbcd8a87f8c518ac7d018f37283e70ca51816926200.exe
-
Size
4.1MB
-
MD5
b65b3808d01a8e86cca4b3471ee1423d
-
SHA1
7aca57edeeda3694d3bd275370a0f74f776b7b1d
-
SHA256
dd529fcfd5e17bb7238c9dbcd8a87f8c518ac7d018f37283e70ca51816926200
-
SHA512
f4faaa69baea7c62984d0e56219884f3b2446fb828100b1b4c44928453680ba771eb92beaddd863318779f545c06a8bf1eefdbc60554e3fd1c519759478e170e
-
SSDEEP
98304:KtoBwzMEokrjaiv5Yw/pXBeC9oheunTMG9BoZ2SC1bWr70zMNI0Rh:SzMOe5EBB1funT3eZgC8zMzb
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 19 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd529fcfd5e17bb7238c9dbcd8a87f8c518ac7d018f37283e70ca51816926200.exe"C:\Users\Admin\AppData\Local\Temp\dd529fcfd5e17bb7238c9dbcd8a87f8c518ac7d018f37283e70ca51816926200.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\dd529fcfd5e17bb7238c9dbcd8a87f8c518ac7d018f37283e70ca51816926200.exe"C:\Users\Admin\AppData\Local\Temp\dd529fcfd5e17bb7238c9dbcd8a87f8c518ac7d018f37283e70ca51816926200.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3408,i,16599691418790971742,134777455365707676,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
19KB
MD5e3f850d6fc09f39d74b09f5e1daee54a
SHA1cef1643c9b5f6aae36a9ed18695e079be55a91c1
SHA256e53455e48a8c070997206d9bbc1e855dd190bdb6a673d63c1acff9c12732f972
SHA512f3ab7df3483a3a421b4a60d4265d650dedba9652ed46fea7ecfd60ca6963b543e5f277d32dc67f442a648553007b463b037c898c78fa64557ee3dc284aabcb63
-
Filesize
19KB
MD54a6816bd468406faf88f44bc38d86ccd
SHA1d412b6ddce8bc59e7f37b51c86bbe457abf17c6b
SHA256d9127c58a24b54ee0a72ad53d46e8784a0d4ac5c74559ad6bb912a319ed86cf3
SHA5128af56783dc7371568f95d2f9075657b775c2a4a465bb0f5c3ed4f06ef2047a7ab94b56e41bd9c3811c2f1a116ae058f7f7d2094727715bb50b386b55a22671f0
-
Filesize
19KB
MD52bc04132bdaacf18e23c426c1da04aa5
SHA17fa0f19ee270c9f5acb6ff3570fdcb79b9fa3440
SHA2565e4791f0da8ce802b9c2ef76fae2ecf3ca7591d08a451c1edbd10297bd602203
SHA512d5dc98b02205eaa8de60f0f1273502cc44d709e78941e56cbe4e75838ca3a13289eab9182691cfbb77a7bfe6694b5b598f200d313cb586873565b0c056d90d68
-
Filesize
19KB
MD5f2c54f5e0fa58a7e6232d77d8687b530
SHA1a23b9032908c83aeaf8ae3b6f8d01b6cef660d9d
SHA2569a8f16958982f94981c5cb15134468de48cd0cde82c8059073c6585afe3c1351
SHA512a5ff659ebc81d0e923ce5340b3f42619dd1b4388d06b47af2c0278fda9c3e1f50a91e6e62f0477fd20c0e801b7ed9e0b70d4a7df112e3e81977161f171b708b1
-
Filesize
19KB
MD576009768dfbfc582cf5e13cced63dc88
SHA1ba75e105bb0b7f9f63a07806b9a1cb5c6344fec4
SHA2560e0cec50045435ce404197dcf96641158fe5ff832ca91ee2c02f6df9c8afa7e2
SHA512ebd2ac271388e24015e1cdec8222a5c656b177ead525e6d8cecd8136397fa8b175b225933502dff96d6faeace07fd171f7521486586f52b40bc3b46f0245c247
-
Filesize
1.7MB
MD594e3f236fb4ecb616fd5fb5007a8ac89
SHA18f1254dc0b49bd149e9b086e3e7394e30f675923
SHA25625ef07be3fdb0a0384ca76a15ae54fae16d66a799b34613540f49ddbddedfc33
SHA512c5283d36451e5d91a02492407d034b25ad20136b62e7d5ca68c4e0261927e86b3f0383b564aa72bbc9da1f66198e4caa12ae85dfb5eca22cb4a7f47f3600bf08
-
Filesize
1.1MB
MD5b100e031d262c46411ff3ad18fa292ca
SHA1acc290873e07a6e65b7f990e130f0c85922242c5
SHA25655e79e5b653b8b117b6332d4c44dcf528a562bb495d8f1b1cadd1efdc897204d
SHA512aeef50b534ffa182a986a1bfbe2458dec9af25eac7b6b6fbff7009f04fb2a03aee5549deda49c0639f6a5f7b93b44db15d643a1d807cbe1f39fafec8f2d5081f
-
Filesize
1.8MB
MD5e80fd60d39654510f4539081eb1a374c
SHA14607effd3ff1c1b6b0a9a8e5e242115c18f6d8d3
SHA25626b65a72e862691e066ec3cba5de8df8563b2730351a5ea56084686b0cf45e53
SHA512a0cd674a08838a83fd992d57373821c97401548365d1870a30945512709a9dc538cedf666b5d761f0b002addfa84388958e3660835c7847346e4315ea82795c5
-
Filesize
320KB
MD51979856034a3a313f7b93f5fcedafb20
SHA1acf54ed630900816388db93b2a4339cd8f0982b1
SHA25658bf0600ff9c3dd534904ef1173ce2ed822df9846a98fff5e055757e60a1b28d
SHA51276aed4535d8397d02f2ae8677665a8fe3c2876ec0d3ad8d70b2d11a49301041fce14e66fe19d8250c027182b16d5c74409179ab00b08731ffa85a394293fad00
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
56KB
-
Filesize
408KB
-
Filesize
472KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
272KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
4.9MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
68KB
-
Filesize
80KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
652KB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB