Analysis
-
max time kernel
1s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2024, 19:24
Static task
static1
Behavioral task
behavioral1
Sample
828fd2a4b1bf68ecee73c1aac55c3c37bd3fc08bf957fda8cd947f9290916d37.exe
Resource
win10v2004-20240412-en
General
-
Target
828fd2a4b1bf68ecee73c1aac55c3c37bd3fc08bf957fda8cd947f9290916d37.exe
-
Size
4.2MB
-
MD5
67c89ae398477e0b1b2ca1c422025b5a
-
SHA1
1de6cc30282fefcd60dfd424b91c57df1b192f08
-
SHA256
828fd2a4b1bf68ecee73c1aac55c3c37bd3fc08bf957fda8cd947f9290916d37
-
SHA512
d92d61b9291ed2e6e4cecee3f2d2e64b906c3575c9ab6109c65878216f1adcc08ca79acc87ba88665e5b18650415ed8243949b0a678114ff32fe21da2974957a
-
SSDEEP
98304:Dz8muvG4/7oo98xMphVIqHAQJ7eNfIWzS5gC960Xfu6ti9vBy29e:DzvuvT/7/zVIWAQdeNfIWzX0W6tA42s
Malware Config
Signatures
-
Glupteba payload 19 IoCs
resource yara_rule behavioral2/memory/3056-2-0x0000000005380000-0x0000000005C6B000-memory.dmp family_glupteba behavioral2/memory/3056-3-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1644-53-0x0000000005230000-0x0000000005B1B000-memory.dmp family_glupteba behavioral2/memory/1644-63-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3056-77-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1644-126-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1644-177-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1256-242-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1256-253-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1256-257-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1256-261-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1256-265-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1256-269-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1256-273-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1256-278-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1256-282-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1256-285-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1256-289-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1256-293-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4156 netsh.exe -
resource yara_rule behavioral2/files/0x000200000002a9be-249.dat upx behavioral2/memory/2620-250-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/3912-256-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/3912-264-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2700 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4772 schtasks.exe 3604 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\828fd2a4b1bf68ecee73c1aac55c3c37bd3fc08bf957fda8cd947f9290916d37.exe"C:\Users\Admin\AppData\Local\Temp\828fd2a4b1bf68ecee73c1aac55c3c37bd3fc08bf957fda8cd947f9290916d37.exe"1⤵PID:3056
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵PID:1064
-
-
C:\Users\Admin\AppData\Local\Temp\828fd2a4b1bf68ecee73c1aac55c3c37bd3fc08bf957fda8cd947f9290916d37.exe"C:\Users\Admin\AppData\Local\Temp\828fd2a4b1bf68ecee73c1aac55c3c37bd3fc08bf957fda8cd947f9290916d37.exe"2⤵PID:1644
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:4460
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:5016
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4156
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:3552
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:3584
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:1256
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4632
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4772
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:3704
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2680
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:3044
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3604
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:2620
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:1484
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:2700
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:3912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD591381e81dd16754bae04f7cedd1ac1e4
SHA1b29a5a65399af8fac5fed104690484c7fab62530
SHA2567fa5f80a474774fb3be03a2e40d3a6893e57e2422df13738a1ff50bca8c2eeb5
SHA5123b4877a511352b7721823bf8601b33fd80f593a582e73bc62580c6eabcab230ae226ef1d2aff525613f1654444e982a72bf79de531f4c55613a80f4565bfe9c2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5f67622fae2528472d59ca0bed989946c
SHA1418faaae063ee29c36ce966f5612939a8667da03
SHA2563ed4513b18f1c059c1f19e621aaa3db7f028ad7198873b98066095dcf0d8c2a7
SHA51282483327ae1a55a58f15f4853ca5010c08ea86e83ca2729d7c6123191100a36f5cee84977a6d98cf27dcda69dea6410019e3721e7644ce95b25cb7c6756709f6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5911731cd5879d6864a0413072f21db1e
SHA1cead697adcae8aefd51fd6b819976faa7e538fbb
SHA25605e325321d76be1d2e9e9c933a8229eb5cf506b7aaa90f7b8818bec1c291de80
SHA512546dd8886f9cc5bcb0c14b6522f5bdf9ac8bbb6cab4c3a35f4416c0b5c6efc5f01192824812dc02a2d056b8b59978b7f5354c1fde63e4802c1827431fe94b9da
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56809852345f08cf223311b764535cbf1
SHA1520562860330f827cac91a9d6f5cf1ff55aa674c
SHA2566ad05561dfd31d42f891780d7e787440922ba2bbbe9abc94396b39926daea274
SHA512ed31dc13f2f1f943eedab5b74d8959b78815782f46e005e01cda7e8d099f61cfb23730e7bd69a3063f4998686f844457230d1a877f976a24c194f827235529c4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5e695848872619c977072d4329e10b69b
SHA1206870c1a40b11a45a8ad14efab51377341ff9b8
SHA256bada59d6250fe2744fa5243066f262642d8a9678942a106a5549e2e4f459ae1b
SHA5122f20eaabc2cf45a668bf08b9bc2d4993c0feecd1ed65ad34fb1ebd7f9b68b79e2ca501bc40665edb34733d38f9dd7d2c69f8630c62834c8c15910b59e2599699
-
Filesize
4.2MB
MD567c89ae398477e0b1b2ca1c422025b5a
SHA11de6cc30282fefcd60dfd424b91c57df1b192f08
SHA256828fd2a4b1bf68ecee73c1aac55c3c37bd3fc08bf957fda8cd947f9290916d37
SHA512d92d61b9291ed2e6e4cecee3f2d2e64b906c3575c9ab6109c65878216f1adcc08ca79acc87ba88665e5b18650415ed8243949b0a678114ff32fe21da2974957a
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec