Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    154s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17/04/2024, 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e19dadd70302e157d63758658c0f81b7fb8f008fc3448e4d7b0e776603deb6ac.exe

  • Size

    4.2MB

  • MD5

    e0b8864b94b6dcf187e0073395dada6e

  • SHA1

    4a665e2fb1cac5526f90612c4042f64203e292a7

  • SHA256

    e19dadd70302e157d63758658c0f81b7fb8f008fc3448e4d7b0e776603deb6ac

  • SHA512

    9a2c4b26303703de44f389f4499b1dff2f13c6a05f41680b6a6bb5e6a882b6fb1c2506a65a4c093e745d2df837f0374fbf5185571c018dc8375f9b4b5c6be114

  • SSDEEP

    98304:CsszAFEnGNz30SIhwhwKnA0He/l5l69nvxQe8P:UAFEnAzkSSwh1nhb9nv9O

Score
10/10
gluptebadropperevasionloader

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 16 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops file in System32 directory 3 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e19dadd70302e157d63758658c0f81b7fb8f008fc3448e4d7b0e776603deb6ac.exe
    "C:\Users\Admin\AppData\Local\Temp\e19dadd70302e157d63758658c0f81b7fb8f008fc3448e4d7b0e776603deb6ac.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4520
    • C:\Users\Admin\AppData\Local\Temp\e19dadd70302e157d63758658c0f81b7fb8f008fc3448e4d7b0e776603deb6ac.exe
      "C:\Users\Admin\AppData\Local\Temp\e19dadd70302e157d63758658c0f81b7fb8f008fc3448e4d7b0e776603deb6ac.exe"
      2⤵
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:388
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5024
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:2400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ca1n4zlg.h0z.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/388-115-0x0000000000400000-0x000000000310D000-memory.dmp

    Filesize

    45.1MB

    Download

  • memory/388-105-0x0000000004E30000-0x0000000005230000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/388-103-0x0000000000400000-0x000000000310D000-memory.dmp

    Filesize

    45.1MB

    Download

  • memory/388-88-0x0000000000400000-0x000000000310D000-memory.dmp

    Filesize

    45.1MB

    Download

  • memory/388-74-0x0000000000400000-0x000000000310D000-memory.dmp

    Filesize

    45.1MB

    Download

  • memory/388-73-0x0000000005230000-0x0000000005B1B000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/388-72-0x0000000004E30000-0x0000000005230000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4520-53-0x0000000073FD0000-0x0000000074781000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4520-33-0x0000000007AC0000-0x0000000007AF4000-memory.dmp

    Filesize

    208KB

    Download

  • memory/4520-16-0x0000000005FF0000-0x0000000006012000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4520-19-0x0000000006090000-0x00000000060F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4520-11-0x0000000005210000-0x0000000005246000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4520-23-0x0000000006170000-0x00000000061D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4520-27-0x00000000062F0000-0x0000000006647000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4520-28-0x00000000062A0000-0x00000000062BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4520-29-0x0000000006700000-0x000000000674C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4520-30-0x0000000006C40000-0x0000000006C86000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4520-31-0x0000000005200000-0x0000000005210000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4520-13-0x0000000005200000-0x0000000005210000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4520-15-0x0000000005880000-0x0000000005EAA000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4520-14-0x0000000005200000-0x0000000005210000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4520-59-0x0000000005200000-0x0000000005210000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4520-69-0x0000000073FD0000-0x0000000074781000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4520-65-0x0000000007EE0000-0x0000000007EE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4520-61-0x000000007EEC0000-0x000000007EED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4520-34-0x000000007EEC0000-0x000000007EED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4520-35-0x0000000070240000-0x000000007028C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4520-36-0x00000000703C0000-0x0000000070717000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4520-45-0x0000000007AA0000-0x0000000007ABE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4520-46-0x0000000007B00000-0x0000000007BA4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/4520-47-0x00000000082A0000-0x000000000891A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4520-48-0x0000000007C40000-0x0000000007C5A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4520-49-0x0000000007C80000-0x0000000007C8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4520-50-0x0000000007D30000-0x0000000007DC6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4520-51-0x0000000007BC0000-0x0000000007BD1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4520-12-0x0000000073FD0000-0x0000000074781000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4520-55-0x0000000005200000-0x0000000005210000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4520-56-0x0000000007C70000-0x0000000007C7E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4520-60-0x0000000007C90000-0x0000000007CA5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4520-62-0x0000000007EF0000-0x0000000007F0A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4520-57-0x0000000005200000-0x0000000005210000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4656-5-0x0000000000400000-0x000000000310D000-memory.dmp

    Filesize

    45.1MB

    Download

  • memory/4656-6-0x0000000004F50000-0x0000000005357000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4656-32-0x0000000000400000-0x000000000310D000-memory.dmp

    Filesize

    45.1MB

    Download

  • memory/4656-67-0x0000000000400000-0x000000000310D000-memory.dmp

    Filesize

    45.1MB

    Download

  • memory/4656-10-0x0000000000400000-0x000000000310D000-memory.dmp

    Filesize

    45.1MB

    Download

  • memory/4656-3-0x0000000000400000-0x000000000310D000-memory.dmp

    Filesize

    45.1MB

    Download

  • memory/4656-9-0x0000000000400000-0x000000000310D000-memory.dmp

    Filesize

    45.1MB

    Download

  • memory/4656-2-0x0000000005360000-0x0000000005C4B000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/4656-1-0x0000000004F50000-0x0000000005357000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4656-4-0x0000000000400000-0x000000000310D000-memory.dmp

    Filesize

    45.1MB

    Download

  • memory/4656-70-0x0000000000400000-0x000000000310D000-memory.dmp

    Filesize

    45.1MB

    Download

  • memory/4656-7-0x0000000000400000-0x000000000310D000-memory.dmp

    Filesize

    45.1MB

    Download

  • memory/4656-8-0x0000000005360000-0x0000000005C4B000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/5024-87-0x0000000006060000-0x00000000060AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5024-86-0x0000000005650000-0x00000000059A7000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/5024-89-0x00000000047C0000-0x00000000047D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5024-91-0x0000000070350000-0x000000007039C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5024-90-0x000000007F690000-0x000000007F6A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5024-92-0x00000000704D0000-0x0000000070827000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/5024-101-0x0000000006CF0000-0x0000000006D94000-memory.dmp

    Filesize

    656KB

    Download

  • memory/5024-102-0x0000000007020000-0x0000000007031000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5024-77-0x00000000047C0000-0x00000000047D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5024-76-0x00000000047C0000-0x00000000047D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5024-106-0x0000000007070000-0x0000000007085000-memory.dmp

    Filesize

    84KB

    Download

  • memory/5024-108-0x0000000074070000-0x0000000074821000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5024-109-0x00000000047C0000-0x00000000047D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5024-110-0x00000000047C0000-0x00000000047D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5024-111-0x00000000047C0000-0x00000000047D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5024-114-0x0000000074070000-0x0000000074821000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5024-75-0x0000000074070000-0x0000000074821000-memory.dmp

    Filesize

    7.7MB

    Download