Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
09/04/2024, 16:29
General
-
Target
a3d6c15439eec7c90f015deab3e2fc930df70ab90630ad5a6c1a6bbebd3bc8b7.exe
-
Size
4.2MB
-
MD5
0199dfb09c2c2eb3af4f9e8efb6dadca
-
SHA1
e8cad6ebd8d4817bdb5c3bd6119ee92273482a71
-
SHA256
a3d6c15439eec7c90f015deab3e2fc930df70ab90630ad5a6c1a6bbebd3bc8b7
-
SHA512
2b9e7d1288709f71409317b49011f0f864d4d5b70768d631153bfe38192589f8b182a57ffdcd24c8858ef7f11c0a50f7b682fcf6b13e6691284bd8104718d659
-
SSDEEP
98304:Cq77jqY634qYqqku+lyD9j83bmq6chkYsndCeM49l0PC8vwYt3LS/Hh+:Cg7jqGqHumyZj83bqlTnjD0P2G3Ig
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 15 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3d6c15439eec7c90f015deab3e2fc930df70ab90630ad5a6c1a6bbebd3bc8b7.exe"C:\Users\Admin\AppData\Local\Temp\a3d6c15439eec7c90f015deab3e2fc930df70ab90630ad5a6c1a6bbebd3bc8b7.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\a3d6c15439eec7c90f015deab3e2fc930df70ab90630ad5a6c1a6bbebd3bc8b7.exe"C:\Users\Admin\AppData\Local\Temp\a3d6c15439eec7c90f015deab3e2fc930df70ab90630ad5a6c1a6bbebd3bc8b7.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 4762⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2728 -ip 27281⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
19KB
MD51d34c6957b3b69607ce2b38f6a697936
SHA1f8e736c8d9f8037aaaf62fccfe38b8a2d85e4b1d
SHA2569fb66d19a1822d13cb117ddd1882ce20caf329a965d255150f59cb54bcf7b99a
SHA5125984d0360ccf7993c28b9cbde845835a2fb20e1649e520385c49a51c54d187746e82e67f899878c0e17c0f60622f8f7fa54a7350a3e72aa84828ff994a24f19f
-
Filesize
19KB
MD59745bdc99e985d873054d5948125db02
SHA1759422ae317e2a2a227db81104f62e4328bdf49e
SHA2562fecf809c5f208d2bd4625cab905df24d27b35fb442c72fbfc678a8401834ba8
SHA512878ab78472de89c8d7ebd3c1b5ae50d2bd3d5bc1b3afc4043b62de7b92b42b482472a4bb19267233bcb92354b9120586f605b58a9017fa363e8020f5df6795be
-
Filesize
19KB
MD57fa85b85f60b565b69e1d929e5d1a1e6
SHA1954fd6346e8e4f1aef4b4d8da25b1b99d14b8c9c
SHA256ba3520b3714fe152873f63a5aad570ef3db9550f9fb9d7fc314756cfc5c4b0e7
SHA512453aaef1ea116409d3a9f5c2adb29a317556c44ef0608cb5e41bd21174e1f28bfda720887f902aace76163e5ff7dfcf65436cda64d492673a83d6b8a72a7033d
-
Filesize
19KB
MD59c34870853ef91e5929633350f4ae154
SHA1799661e0d3d69df69d26a3fed72a679f5ae3fd5a
SHA256dcdd1852d796a4caede1d009c81d371491cfd6899db21ecdeaae186b62d09816
SHA5123cf5212ca45433701973c2b077dd3413af67b23ce5e6e9d027ea1a705ca13b4b8d89453caea03fb16cb750acfafa1359e599b08a39526ff20f9758595e9d0a72
-
Filesize
4.2MB
MD50199dfb09c2c2eb3af4f9e8efb6dadca
SHA1e8cad6ebd8d4817bdb5c3bd6119ee92273482a71
SHA256a3d6c15439eec7c90f015deab3e2fc930df70ab90630ad5a6c1a6bbebd3bc8b7
SHA5122b9e7d1288709f71409317b49011f0f864d4d5b70768d631153bfe38192589f8b182a57ffdcd24c8858ef7f11c0a50f7b682fcf6b13e6691284bd8104718d659
-
Filesize
304KB
-
Filesize
68KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
272KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
45.0MB
-
Filesize
45.0MB
-
Filesize
45.0MB
-
Filesize
45.0MB
-
Filesize
45.0MB
-
Filesize
45.0MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
45.0MB
-
Filesize
45.0MB
-
Filesize
4.0MB
-
Filesize
45.0MB
-
Filesize
4.0MB
-
Filesize
45.0MB
-
Filesize
45.0MB
-
Filesize
45.0MB
-
Filesize
8.9MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
45.0MB