Analysis
-
max time kernel
2s -
max time network
159s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2024, 19:24
Static task
static1
Behavioral task
behavioral1
Sample
dc22642ebb0b7d27a5406ae047c3543a7295abce61d7aa6c61dfdef153d5e729.exe
Resource
win10v2004-20240412-en
General
-
Target
dc22642ebb0b7d27a5406ae047c3543a7295abce61d7aa6c61dfdef153d5e729.exe
-
Size
4.2MB
-
MD5
aa64cf54033640aa3d03c340ef057bdf
-
SHA1
928c0735ff21c34d256819c79f78f3fc77111136
-
SHA256
dc22642ebb0b7d27a5406ae047c3543a7295abce61d7aa6c61dfdef153d5e729
-
SHA512
a0ffd772763c3ff06f50e279e1b824e44873978d0308349ba5d2702841e163a5e18fa6cfb675e36e0a6c4c24e0435bc4c4cb8be38cd4e28533d8a0847099481a
-
SSDEEP
98304:jz8muvG4/7oo98xMphVIqHAQJ7eNfIWzS5gC960Xfu6ti9vBy29q:jzvuvT/7/zVIWAQdeNfIWzX0W6tA42M
Malware Config
Signatures
-
Glupteba payload 18 IoCs
resource yara_rule behavioral2/memory/3080-2-0x00000000052A0000-0x0000000005B8B000-memory.dmp family_glupteba behavioral2/memory/3080-3-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3080-51-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4108-54-0x0000000004E10000-0x0000000005212000-memory.dmp family_glupteba behavioral2/memory/3080-53-0x00000000052A0000-0x0000000005B8B000-memory.dmp family_glupteba behavioral2/memory/4108-64-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4108-123-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4108-181-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4784-213-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4784-220-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4784-228-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4784-232-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4784-236-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4784-240-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4784-244-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4784-248-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4784-252-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/4784-256-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4884 netsh.exe -
resource yara_rule behavioral2/files/0x000200000002aa15-219.dat upx behavioral2/memory/3252-225-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2832-229-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2832-237-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2832-249-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2092 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4828 schtasks.exe 1216 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc22642ebb0b7d27a5406ae047c3543a7295abce61d7aa6c61dfdef153d5e729.exe"C:\Users\Admin\AppData\Local\Temp\dc22642ebb0b7d27a5406ae047c3543a7295abce61d7aa6c61dfdef153d5e729.exe"1⤵PID:3080
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵PID:644
-
-
C:\Users\Admin\AppData\Local\Temp\dc22642ebb0b7d27a5406ae047c3543a7295abce61d7aa6c61dfdef153d5e729.exe"C:\Users\Admin\AppData\Local\Temp\dc22642ebb0b7d27a5406ae047c3543a7295abce61d7aa6c61dfdef153d5e729.exe"2⤵PID:4108
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:2840
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:3252
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4884
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:3016
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:1856
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:4784
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4448
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4828
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:3364
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4676
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:4068
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1216
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:3252
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:2760
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:2092
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:2832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD55ccec4b127f457efae9f3624b7561cf4
SHA1c9d1bc221591aad3263d2dc174c73c6e70ee5ec5
SHA25655cfab00c880073af7105d9a1964da931d6d3b7f9a79473d589bd7ddc2819f8f
SHA5129a4fce8ed1fb990b8edb74f0b66c63e80ddc3f250fb533129f5b8c51df603b5fada87e43b2ec4785c5b637dbc570a039c0b6c0e9d4968147969fc4eb6dc3204a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a14f8d76c05641f0491a44c090fd89c6
SHA1529161452c0ed2c5ef0c466c640b9893f1a60bc1
SHA256cf39a7350d776acd84e81351883f429fe66cca7ae392f00a79067b83b25e1188
SHA512aa8860964511c86b7c175cc2c19552cfb692b3ef7a9623e8ca2588aba9a4fe743161f255b6e6d3b62d08eef5f363273ad8dd19b202fe3c5d3cec7416f94063af
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5eaaa2d6e0c4dbae6b244b05e62b4446d
SHA1e812fa14798565711529e7281652a462a98088f2
SHA256fbd36811ccc61ea10f93d316362c5a5fc32f617aa237cc5067963ca84cc1a9fb
SHA512036bb3eb95e67cc8e2362a2730ed67767285e787b381fc7b46748ac7493e6be394104ae32294a749142bea91437d2dca0420c2946a9231d74dee4fb6a659e200
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD518aa3f0b88a70b17d0d51d8052790af6
SHA1bf8c048932348eceabb9c4f08b52f6e45e3094fb
SHA256c2c0c6113782dbf538a509fe392487a89fc15a46b23d55bc6d1b6a019ab625db
SHA5126b4bc8e39a8971b6c04233216742f1c15045ec508377436e2c70b5ce8472b1cdb9c74030862d759594b3dffd7554ecc350d985077de20d6892e93b7821539511
-
Filesize
4.2MB
MD5aa64cf54033640aa3d03c340ef057bdf
SHA1928c0735ff21c34d256819c79f78f3fc77111136
SHA256dc22642ebb0b7d27a5406ae047c3543a7295abce61d7aa6c61dfdef153d5e729
SHA512a0ffd772763c3ff06f50e279e1b824e44873978d0308349ba5d2702841e163a5e18fa6cfb675e36e0a6c4c24e0435bc4c4cb8be38cd4e28533d8a0847099481a
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec