Analysis

  • max time kernel
    8s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17/04/2024, 19:23

General

  • Target

    d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe

  • Size

    4.2MB

  • MD5

    a5b310be46085d15ecb18f1b8df7d028

  • SHA1

    8546ef9d9204363ad9183869d4569a2f46df91c1

  • SHA256

    d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048

  • SHA512

    024b18608765a167e362a694186da8e0bd33f3c5517342f6bb4ee77120c93f24376ed7ed8f48f5f3c0975b70693f40ad822d40640787c52317aa4620422915a4

  • SSDEEP

    98304:Dz8muvG4/7oo98xMphVIqHAQJ7eNfIWzS5gC960Xfu6ti9vBy29d:DzvuvT/7/zVIWAQdeNfIWzX0W6tA42X

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe
    "C:\Users\Admin\AppData\Local\Temp\d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1448
    • C:\Users\Admin\AppData\Local\Temp\d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe
      "C:\Users\Admin\AppData\Local\Temp\d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe"
      2⤵
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2516
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:2656
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4028
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
          PID:4988
        • C:\Windows\rss\csrss.exe
          C:\Windows\rss\csrss.exe
          3⤵
            PID:3076
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              4⤵
                PID:4844
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                4⤵
                • Creates scheduled task(s)
                PID:852
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /delete /tn ScheduledUpdate /f
                4⤵
                  PID:2992
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                    PID:4792
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    4⤵
                      PID:1440
                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                      4⤵
                        PID:3468
                      • C:\Windows\SYSTEM32\schtasks.exe
                        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                        4⤵
                        • Creates scheduled task(s)
                        PID:5028
                      • C:\Windows\windefender.exe
                        "C:\Windows\windefender.exe"
                        4⤵
                          PID:1916
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                            5⤵
                              PID:4968
                              • C:\Windows\SysWOW64\sc.exe
                                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                6⤵
                                • Launches sc.exe
                                PID:2804
                    • C:\Windows\windefender.exe
                      C:\Windows\windefender.exe
                      1⤵
                        PID:1464

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jdouomfd.0qz.ps1

                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                              Filesize

                              281KB

                              MD5

                              d98e33b66343e7c96158444127a117f6

                              SHA1

                              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                              SHA256

                              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                              SHA512

                              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                              Filesize

                              2KB

                              MD5

                              ac4917a885cf6050b1a483e4bc4d2ea5

                              SHA1

                              b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

                              SHA256

                              e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

                              SHA512

                              092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                              Filesize

                              19KB

                              MD5

                              992ca2a641c1b7f6464ee0f21f29dd22

                              SHA1

                              c2d19f75ac03e72902e9204e42aa2e62794d0c1e

                              SHA256

                              40ec4413d877a6a334af91940166ef827dcd8a9a09b8f2374eaf8547c05c95c2

                              SHA512

                              14a2c3d45bf9485989b0fba0b6a85bab3b08f5ac16d58133fe91250f0ec044579f563a84f9586924d56a5d0a38a9cb3eb5c2349bd77813e5b0543ef5a0da07e8

                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                              Filesize

                              19KB

                              MD5

                              abab6ee2ae69634eaa641f26380b8601

                              SHA1

                              6e99e5975ef585d83ca51ae881fc50eb0fc82f09

                              SHA256

                              148594c9d84732a7f62f5406612bae1bb1ad917aef278aa83c4e73c26a660e1a

                              SHA512

                              e5c43680c46de90b5ab1516867bf1559730a86b9496c426ae062c67c213ea0da0c7b4a27c174203de2a22266aecfd135a919d62eb3b100d11e40925accc61d66

                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                              Filesize

                              19KB

                              MD5

                              37a5c5c3033b690ac9dab3485eed4991

                              SHA1

                              5cde3de819df729e0a1ee58e1028b2111aab84d1

                              SHA256

                              5772da181623e25f49dd9ae72f638c354b843de05e8f0c03aec867759cd8dea4

                              SHA512

                              e3dd49ce7d24751784f1db3c48489611610e09eb096d30d96d4750e164878e0c21af3dcf6841763f463a4608e394405022f333f8c835aa059e7669ef50ddb217

                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                              Filesize

                              19KB

                              MD5

                              62ce9b1669ff5d0eb1489de4cf2dfe03

                              SHA1

                              3e96c85343c6a06f7f2bf698192814531af1f548

                              SHA256

                              f93b7806b58a59a97318bb84ef6bb0f90c5febbf62c04355e6aeda34795a92f0

                              SHA512

                              ace475bef9db02925f131d0f00558df0e4836d2369ce9e6f6202466277b1e0834de76fd81288c45fa6a198131af5a3c00adb7c623a758c89d6091d8d9e4ffd94

                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                              Filesize

                              19KB

                              MD5

                              1ec6e9120f7125f8f93445be3c504c31

                              SHA1

                              378eea5826829087f299eed4951885bb28375585

                              SHA256

                              4bbe3fce0364777cec0173f580c002f48e6776059e30c0d9f4f8c45912b4511c

                              SHA512

                              b50583916da7ab36a02e3d474f29f04129fb5d8c1ab48e394e581486ac2d6e8d415a59c407fd200696692ba07b0aac58d74de0b44cb2de6ef3be43bfbb052d18

                            • C:\Windows\rss\csrss.exe

                              Filesize

                              4.2MB

                              MD5

                              a5b310be46085d15ecb18f1b8df7d028

                              SHA1

                              8546ef9d9204363ad9183869d4569a2f46df91c1

                              SHA256

                              d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048

                              SHA512

                              024b18608765a167e362a694186da8e0bd33f3c5517342f6bb4ee77120c93f24376ed7ed8f48f5f3c0975b70693f40ad822d40640787c52317aa4620422915a4

                            • C:\Windows\windefender.exe

                              Filesize

                              2.0MB

                              MD5

                              8e67f58837092385dcf01e8a2b4f5783

                              SHA1

                              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                              SHA256

                              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                              SHA512

                              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                            • memory/1448-43-0x00000000071D0000-0x00000000071E1000-memory.dmp

                              Filesize

                              68KB

                            • memory/1448-44-0x0000000007220000-0x000000000722E000-memory.dmp

                              Filesize

                              56KB

                            • memory/1448-23-0x0000000006120000-0x0000000006166000-memory.dmp

                              Filesize

                              280KB

                            • memory/1448-26-0x00000000703C0000-0x000000007040C000-memory.dmp

                              Filesize

                              304KB

                            • memory/1448-38-0x00000000049F0000-0x0000000004A00000-memory.dmp

                              Filesize

                              64KB

                            • memory/1448-37-0x0000000007040000-0x00000000070E4000-memory.dmp

                              Filesize

                              656KB

                            • memory/1448-36-0x0000000007020000-0x000000000703E000-memory.dmp

                              Filesize

                              120KB

                            • memory/1448-40-0x0000000007170000-0x000000000718A000-memory.dmp

                              Filesize

                              104KB

                            • memory/1448-41-0x00000000071B0000-0x00000000071BA000-memory.dmp

                              Filesize

                              40KB

                            • memory/1448-42-0x00000000072C0000-0x0000000007356000-memory.dmp

                              Filesize

                              600KB

                            • memory/1448-21-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

                              Filesize

                              120KB

                            • memory/1448-39-0x00000000077B0000-0x0000000007E2A000-memory.dmp

                              Filesize

                              6.5MB

                            • memory/1448-27-0x0000000070540000-0x0000000070897000-memory.dmp

                              Filesize

                              3.3MB

                            • memory/1448-25-0x000000007FB70000-0x000000007FB80000-memory.dmp

                              Filesize

                              64KB

                            • memory/1448-24-0x0000000006FE0000-0x0000000007014000-memory.dmp

                              Filesize

                              208KB

                            • memory/1448-22-0x0000000005C00000-0x0000000005C4C000-memory.dmp

                              Filesize

                              304KB

                            • memory/1448-45-0x0000000007230000-0x0000000007245000-memory.dmp

                              Filesize

                              84KB

                            • memory/1448-46-0x0000000007280000-0x000000000729A000-memory.dmp

                              Filesize

                              104KB

                            • memory/1448-47-0x00000000072A0000-0x00000000072A8000-memory.dmp

                              Filesize

                              32KB

                            • memory/1448-50-0x0000000074150000-0x0000000074901000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/1448-4-0x0000000002700000-0x0000000002736000-memory.dmp

                              Filesize

                              216KB

                            • memory/1448-6-0x00000000049F0000-0x0000000004A00000-memory.dmp

                              Filesize

                              64KB

                            • memory/1448-7-0x00000000049F0000-0x0000000004A00000-memory.dmp

                              Filesize

                              64KB

                            • memory/1448-20-0x00000000057A0000-0x0000000005AF7000-memory.dmp

                              Filesize

                              3.3MB

                            • memory/1448-11-0x0000000004F70000-0x0000000004FD6000-memory.dmp

                              Filesize

                              408KB

                            • memory/1448-10-0x0000000004E90000-0x0000000004EF6000-memory.dmp

                              Filesize

                              408KB

                            • memory/1448-9-0x0000000004DF0000-0x0000000004E12000-memory.dmp

                              Filesize

                              136KB

                            • memory/1448-8-0x0000000005030000-0x000000000565A000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/1448-5-0x0000000074150000-0x0000000074901000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/1464-254-0x0000000000400000-0x00000000008DF000-memory.dmp

                              Filesize

                              4.9MB

                            • memory/1464-262-0x0000000000400000-0x00000000008DF000-memory.dmp

                              Filesize

                              4.9MB

                            • memory/1916-249-0x0000000000400000-0x00000000008DF000-memory.dmp

                              Filesize

                              4.9MB

                            • memory/2516-68-0x000000007F3C0000-0x000000007F3D0000-memory.dmp

                              Filesize

                              64KB

                            • memory/2516-69-0x00000000703C0000-0x000000007040C000-memory.dmp

                              Filesize

                              304KB

                            • memory/2516-79-0x0000000007070000-0x0000000007114000-memory.dmp

                              Filesize

                              656KB

                            • memory/2516-64-0x0000000004A30000-0x0000000004A40000-memory.dmp

                              Filesize

                              64KB

                            • memory/2516-82-0x0000000004A30000-0x0000000004A40000-memory.dmp

                              Filesize

                              64KB

                            • memory/2516-81-0x0000000004A30000-0x0000000004A40000-memory.dmp

                              Filesize

                              64KB

                            • memory/2516-83-0x00000000073B0000-0x00000000073C1000-memory.dmp

                              Filesize

                              68KB

                            • memory/2516-84-0x0000000007400000-0x0000000007415000-memory.dmp

                              Filesize

                              84KB

                            • memory/2516-87-0x0000000074150000-0x0000000074901000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/2516-70-0x0000000070D90000-0x00000000710E7000-memory.dmp

                              Filesize

                              3.3MB

                            • memory/2516-65-0x0000000004A30000-0x0000000004A40000-memory.dmp

                              Filesize

                              64KB

                            • memory/2516-62-0x0000000005710000-0x0000000005A67000-memory.dmp

                              Filesize

                              3.3MB

                            • memory/2516-67-0x0000000074150000-0x0000000074901000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/2820-53-0x0000000004F60000-0x0000000005367000-memory.dmp

                              Filesize

                              4.0MB

                            • memory/2820-2-0x0000000005370000-0x0000000005C5B000-memory.dmp

                              Filesize

                              8.9MB

                            • memory/2820-1-0x0000000004F60000-0x0000000005367000-memory.dmp

                              Filesize

                              4.0MB

                            • memory/2820-3-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/2820-80-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/2820-66-0x0000000005370000-0x0000000005C5B000-memory.dmp

                              Filesize

                              8.9MB

                            • memory/2928-52-0x0000000004E30000-0x0000000005230000-memory.dmp

                              Filesize

                              4.0MB

                            • memory/2928-63-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/2928-206-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/2928-117-0x0000000004E30000-0x0000000005230000-memory.dmp

                              Filesize

                              4.0MB

                            • memory/3076-276-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/3076-260-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/3076-256-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/3076-264-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/3076-268-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/3076-272-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/3076-280-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/3076-284-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/3076-288-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/3076-241-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/3076-292-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/3076-296-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/3076-252-0x0000000000400000-0x000000000310E000-memory.dmp

                              Filesize

                              45.1MB

                            • memory/4028-89-0x0000000074150000-0x0000000074901000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/4028-115-0x0000000074150000-0x0000000074901000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/4028-101-0x000000007FC70000-0x000000007FC80000-memory.dmp

                              Filesize

                              64KB

                            • memory/4028-102-0x00000000703C0000-0x000000007040C000-memory.dmp

                              Filesize

                              304KB

                            • memory/4028-112-0x0000000004690000-0x00000000046A0000-memory.dmp

                              Filesize

                              64KB

                            • memory/4028-113-0x0000000004690000-0x00000000046A0000-memory.dmp

                              Filesize

                              64KB

                            • memory/4028-103-0x0000000070540000-0x0000000070897000-memory.dmp

                              Filesize

                              3.3MB

                            • memory/4028-90-0x0000000004690000-0x00000000046A0000-memory.dmp

                              Filesize

                              64KB

                            • memory/4028-91-0x0000000004690000-0x00000000046A0000-memory.dmp

                              Filesize

                              64KB

                            • memory/4988-128-0x00000000703C0000-0x000000007040C000-memory.dmp

                              Filesize

                              304KB

                            • memory/4988-129-0x0000000070540000-0x0000000070897000-memory.dmp

                              Filesize

                              3.3MB

                            • memory/4988-118-0x0000000004C70000-0x0000000004C80000-memory.dmp

                              Filesize

                              64KB

                            • memory/4988-116-0x0000000074150000-0x0000000074901000-memory.dmp

                              Filesize

                              7.7MB