Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
29/03/2024, 16:35
General
-
Target
e296d656c7c95d81341cfb8c55171cd20347a6eac2811fc281bcaea1b8309dd5.exe
-
Size
4.1MB
-
MD5
4517cadc3f88aef607d3418b31932e2e
-
SHA1
a4b8c3507eecea8b282d9f3d37c278c19d9b6e9e
-
SHA256
e296d656c7c95d81341cfb8c55171cd20347a6eac2811fc281bcaea1b8309dd5
-
SHA512
5c127c365812f9e9e0ad822dd4b36b82a5d33babdc7c63bf963130412de3a3623fda27e635620cb66eb826b2f71c99ca138b375ebb8510119446d9bbd3cf94b3
-
SSDEEP
98304:xcVSpTFm+RXM0iH/U+zPR1spIvd9YBG0+h/JRTkf:mVSp5miMNMcPLsa9YBj+fRgf
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 20 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e296d656c7c95d81341cfb8c55171cd20347a6eac2811fc281bcaea1b8309dd5.exe"C:\Users\Admin\AppData\Local\Temp\e296d656c7c95d81341cfb8c55171cd20347a6eac2811fc281bcaea1b8309dd5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\e296d656c7c95d81341cfb8c55171cd20347a6eac2811fc281bcaea1b8309dd5.exe"C:\Users\Admin\AppData\Local\Temp\e296d656c7c95d81341cfb8c55171cd20347a6eac2811fc281bcaea1b8309dd5.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
Filesize
19KB
MD53cbef8bab0c615d37f31d97db7e45a26
SHA1ca0fa2ae486a9a5c21b5f3977a112d570ea56d21
SHA25654a338cd2e9bf6cecd086591e326668fa9c2543653f4142d0261cff13c1abe5d
SHA512c4cb2e6f8b7bce1e6f43145cc1c523ff554274bdad6d3ba668d71c732a828cb2e6efaa21af6219a6787e234022f8f36f3fe126932dc1358c97a0ab353d2c5d83
-
Filesize
19KB
MD55b87034dd32724136f4fced5070ecb3f
SHA19326baa612a029c48865f2567298185060c204af
SHA2569e2756d703eb9576a28f579b8405a1e306167ad87f0532e4498f58d3e2f2abb6
SHA51229881e172b91ba29638d6060c59513a5eef341e34775f664dcdc0883bae3f3d8830569953ec38c8b24049d1e6e14651a12efa850cdaede6d9e44a21aafa81f48
-
Filesize
19KB
MD5993170cccf94906a08fcd2a95f09f511
SHA1939ae73966e4bc391858aa21a43fb0a1b24062cb
SHA2562554c1010fdd742b92f26b76ef648d22f9b404c8bf9fc6daac08fc02cf583349
SHA5120b231ffa464ecd906695e3c484412f830ce8384283160042b48818d93791a8cea22cdcfc988133256de070904780596e984f56d625dc74da03498ec5a0151a5c
-
Filesize
19KB
MD53bf3c2ca84b93c1725cc5221694bde8c
SHA176eff617c343a541b3fab1cbdf160463ec084c78
SHA2562dd6ed83896191b5db4f5f02bf9e27e0550f4262203600ce0875a15e95acc470
SHA5120620d26a759bfd84102e0f5ca48a2a9ad24a85fba38e657bd607afc74e6a7de8ba0e560c98b920dd42da73efeeae1ea2be87c29d00030c27ea62e9d16c69bdcc
-
Filesize
19KB
MD55a9e7b7a0df32ff839a622ade8b53725
SHA123bc91a0afb81969b7eabcf0697fcfc92b17d72f
SHA2565ceea6be7a26ec85ee6920469947a724151b1a3f381ec8593acdad7e9e02fdbc
SHA512b5da7b9f529708f700ee0713a836bf2aa51405daa976436e758aa86d973fb0178c93af919ddbce2af857e7238408a38b1ca64847f9a5893e9796ac98260f937f
-
Filesize
4.1MB
MD54517cadc3f88aef607d3418b31932e2e
SHA1a4b8c3507eecea8b282d9f3d37c278c19d9b6e9e
SHA256e296d656c7c95d81341cfb8c55171cd20347a6eac2811fc281bcaea1b8309dd5
SHA5125c127c365812f9e9e0ad822dd4b36b82a5d33babdc7c63bf963130412de3a3623fda27e635620cb66eb826b2f71c99ca138b375ebb8510119446d9bbd3cf94b3
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
84KB
-
Filesize
656KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
68KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4.9MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
656KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
84KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
208KB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
280KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
216KB