Analysis

  • max time kernel
    22s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 19:08

General

  • Target

    10570aba07efb7b81ea85a6cc53a53b8e82670483f40531627793b27da8eab51.exe

  • Size

    4.2MB

  • MD5

    27e27a57745e7beb5021313a3dba3612

  • SHA1

    e40894dcbd73d7c34ac1454627564c9c3ebec58c

  • SHA256

    10570aba07efb7b81ea85a6cc53a53b8e82670483f40531627793b27da8eab51

  • SHA512

    7fce3b45c85ad51fe1e1d509147734c020920ec4956f3f82875bb638fda8333f2d4b739534262649e2cd76261b1b953b8dadd1b75bfa6640a2c1f12038a93bee

  • SSDEEP

    98304:W+HT2dFOlkJa7jNZC2ePu9ILkthheCYlOaY:PzMKBrC2kuA8hntr

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 14 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

Processes

  • C:\Users\Admin\AppData\Local\Temp\10570aba07efb7b81ea85a6cc53a53b8e82670483f40531627793b27da8eab51.exe
    "C:\Users\Admin\AppData\Local\Temp\10570aba07efb7b81ea85a6cc53a53b8e82670483f40531627793b27da8eab51.exe"
    1⤵
      PID:4496
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        2⤵
          PID:804
        • C:\Users\Admin\AppData\Local\Temp\10570aba07efb7b81ea85a6cc53a53b8e82670483f40531627793b27da8eab51.exe
          "C:\Users\Admin\AppData\Local\Temp\10570aba07efb7b81ea85a6cc53a53b8e82670483f40531627793b27da8eab51.exe"
          2⤵
            PID:4636
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
                PID:448
              • C:\Windows\system32\cmd.exe
                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                3⤵
                  PID:3240
                  • C:\Windows\system32\netsh.exe
                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                    4⤵
                    • Modifies Windows Firewall
                    PID:1808
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  3⤵
                    PID:4732
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    3⤵
                      PID:2904
                    • C:\Windows\rss\csrss.exe
                      C:\Windows\rss\csrss.exe
                      3⤵
                        PID:884
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -nologo -noprofile
                          4⤵
                            PID:2788
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                            4⤵
                            • Creates scheduled task(s)
                            PID:4400
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /delete /tn ScheduledUpdate /f
                            4⤵
                              PID:4620
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -nologo -noprofile
                              4⤵
                                PID:3264
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell -nologo -noprofile
                                4⤵
                                  PID:3856
                                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                  4⤵
                                    PID:3448
                                  • C:\Windows\SYSTEM32\schtasks.exe
                                    schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                    4⤵
                                    • Creates scheduled task(s)
                                    PID:4156
                                  • C:\Windows\windefender.exe
                                    "C:\Windows\windefender.exe"
                                    4⤵
                                      PID:4080
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                        5⤵
                                          PID:1688
                                          • C:\Windows\SysWOW64\sc.exe
                                            sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                            6⤵
                                            • Launches sc.exe
                                            PID:976
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
                                  1⤵
                                    PID:4080
                                  • C:\Windows\windefender.exe
                                    C:\Windows\windefender.exe
                                    1⤵
                                      PID:1176

                                    Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qkw5fhgj.ntv.ps1

                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                            Filesize

                                            281KB

                                            MD5

                                            d98e33b66343e7c96158444127a117f6

                                            SHA1

                                            bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                                            SHA256

                                            5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                                            SHA512

                                            705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                            Filesize

                                            2KB

                                            MD5

                                            968cb9309758126772781b83adb8a28f

                                            SHA1

                                            8da30e71accf186b2ba11da1797cf67f8f78b47c

                                            SHA256

                                            92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                            SHA512

                                            4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                            Filesize

                                            19KB

                                            MD5

                                            f569f34e39bfb8b7dce165b28b3c86ab

                                            SHA1

                                            27347deedcb5a5cdb7cbe14be7b4b610bb74e9d9

                                            SHA256

                                            8b372501c9d968c773334ba8b775c7236f530e0ee3c60ddb932694c1205fd900

                                            SHA512

                                            718387d9c0db2ad0958a09b5cac9d833d9c5ec196eba827f663a3d643d768e67405a8af42e4e7d78556d33cd615d4132ea3ccca557b8d32a30cac712364e229c

                                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                            Filesize

                                            19KB

                                            MD5

                                            9d9b65b0865631dca3ea8c3994c1830c

                                            SHA1

                                            75704cd05075ffc08da84df7430628ea063dfbfc

                                            SHA256

                                            c4247c1fc327ca144acd69a1fbeca244d6663483c2ad53add8b44b548cc4fdbf

                                            SHA512

                                            4d7d0e11f226b85f4cba2afd689ae67277a9d4138eac299cc7b02c2e2c72fc7edf65155843f3592a9094bb701ddfd5e81dffc8d9e57da62a0e5bde02da2552fc

                                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                            Filesize

                                            19KB

                                            MD5

                                            632716f8e98e9915dbddebadc295dc94

                                            SHA1

                                            d9d9038c32557ee3f9ac598119c1a4329205c242

                                            SHA256

                                            42182894d619bf3916089e3b1932d2e8b3c6321fe1c62c81b21aa0e9007226ca

                                            SHA512

                                            956ffddcff86d7471de6f75048d9430c2a62638baadb851f1af9048d1ef2b6408ba838565cef5bad5904550c66af1f0e284ed4346287f99fb9d248cd6b1a35ec

                                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                            Filesize

                                            19KB

                                            MD5

                                            76147e4eb081db99fa7c90a18616e179

                                            SHA1

                                            1fc6ebf3471b8a37bd00885572bda752a3aad171

                                            SHA256

                                            df5af5da064f1801eeafc53cc2cbd74a9f44144110c5985c77508f9261cbec17

                                            SHA512

                                            a369f3106e29f8391c4fab7d80b6572a4b85933cce4da21bb4af07d2341d089aafa76fc5228d5de1d526350cbd26ab34f13411aff4a694a1b17ee8b1773b7a96

                                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                            Filesize

                                            19KB

                                            MD5

                                            7f770dfb802bf7fd44ffb388c9d95e13

                                            SHA1

                                            3ad2ad72f0cb9a81f08a4495ed85da8fb9f1ac26

                                            SHA256

                                            a2874d82be7273bb9656e5b7f9c670bb05ab67027e7335b3495f2bd576c4283b

                                            SHA512

                                            9af9bb8d2391eb372a0e4405d8df64f2cafc476dd551a07bcf62b963e37f355f0550661f2f45692936bbe9d827a71a3b2297182bb801461a2f96572de23ff57d

                                          • C:\Windows\rss\csrss.exe

                                            Filesize

                                            4.2MB

                                            MD5

                                            27e27a57745e7beb5021313a3dba3612

                                            SHA1

                                            e40894dcbd73d7c34ac1454627564c9c3ebec58c

                                            SHA256

                                            10570aba07efb7b81ea85a6cc53a53b8e82670483f40531627793b27da8eab51

                                            SHA512

                                            7fce3b45c85ad51fe1e1d509147734c020920ec4956f3f82875bb638fda8333f2d4b739534262649e2cd76261b1b953b8dadd1b75bfa6640a2c1f12038a93bee

                                          • C:\Windows\windefender.exe

                                            Filesize

                                            2.0MB

                                            MD5

                                            8e67f58837092385dcf01e8a2b4f5783

                                            SHA1

                                            012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                                            SHA256

                                            166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                                            SHA512

                                            40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                                          • memory/448-96-0x0000000074040000-0x00000000747F0000-memory.dmp

                                            Filesize

                                            7.7MB

                                          • memory/448-93-0x0000000007D10000-0x0000000007D24000-memory.dmp

                                            Filesize

                                            80KB

                                          • memory/448-92-0x0000000007CC0000-0x0000000007CD1000-memory.dmp

                                            Filesize

                                            68KB

                                          • memory/448-91-0x00000000079C0000-0x0000000007A63000-memory.dmp

                                            Filesize

                                            652KB

                                          • memory/448-65-0x0000000074040000-0x00000000747F0000-memory.dmp

                                            Filesize

                                            7.7MB

                                          • memory/448-81-0x0000000070680000-0x00000000709D4000-memory.dmp

                                            Filesize

                                            3.3MB

                                          • memory/448-80-0x000000006FEE0000-0x000000006FF2C000-memory.dmp

                                            Filesize

                                            304KB

                                          • memory/448-79-0x0000000003270000-0x0000000003280000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/448-73-0x0000000006180000-0x00000000064D4000-memory.dmp

                                            Filesize

                                            3.3MB

                                          • memory/448-66-0x0000000003270000-0x0000000003280000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/448-67-0x0000000003270000-0x0000000003280000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/804-33-0x0000000007340000-0x00000000073B6000-memory.dmp

                                            Filesize

                                            472KB

                                          • memory/804-16-0x00000000059F0000-0x0000000005A56000-memory.dmp

                                            Filesize

                                            408KB

                                          • memory/804-35-0x00000000073E0000-0x00000000073FA000-memory.dmp

                                            Filesize

                                            104KB

                                          • memory/804-36-0x000000007FCC0000-0x000000007FCD0000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/804-38-0x000000006FEE0000-0x000000006FF2C000-memory.dmp

                                            Filesize

                                            304KB

                                          • memory/804-39-0x0000000070490000-0x00000000707E4000-memory.dmp

                                            Filesize

                                            3.3MB

                                          • memory/804-37-0x0000000007590000-0x00000000075C2000-memory.dmp

                                            Filesize

                                            200KB

                                          • memory/804-49-0x0000000007570000-0x000000000758E000-memory.dmp

                                            Filesize

                                            120KB

                                          • memory/804-50-0x00000000075D0000-0x0000000007673000-memory.dmp

                                            Filesize

                                            652KB

                                          • memory/804-51-0x00000000076E0000-0x00000000076EA000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/804-52-0x0000000007790000-0x0000000007826000-memory.dmp

                                            Filesize

                                            600KB

                                          • memory/804-34-0x0000000007A40000-0x00000000080BA000-memory.dmp

                                            Filesize

                                            6.5MB

                                          • memory/804-54-0x00000000060D0000-0x00000000060E1000-memory.dmp

                                            Filesize

                                            68KB

                                          • memory/804-55-0x0000000007780000-0x000000000778E000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/804-56-0x0000000007870000-0x0000000007884000-memory.dmp

                                            Filesize

                                            80KB

                                          • memory/804-57-0x00000000078B0000-0x00000000078CA000-memory.dmp

                                            Filesize

                                            104KB

                                          • memory/804-58-0x00000000078A0000-0x00000000078A8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/804-61-0x0000000074040000-0x00000000747F0000-memory.dmp

                                            Filesize

                                            7.7MB

                                          • memory/804-10-0x00000000026B0000-0x00000000026E6000-memory.dmp

                                            Filesize

                                            216KB

                                          • memory/804-6-0x0000000074040000-0x00000000747F0000-memory.dmp

                                            Filesize

                                            7.7MB

                                          • memory/804-11-0x0000000002C10000-0x0000000002C20000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/804-32-0x0000000002C10000-0x0000000002C20000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/804-31-0x0000000007150000-0x0000000007194000-memory.dmp

                                            Filesize

                                            272KB

                                          • memory/804-29-0x0000000006130000-0x000000000617C000-memory.dmp

                                            Filesize

                                            304KB

                                          • memory/804-12-0x0000000005260000-0x0000000005888000-memory.dmp

                                            Filesize

                                            6.2MB

                                          • memory/804-28-0x0000000006020000-0x000000000603E000-memory.dmp

                                            Filesize

                                            120KB

                                          • memory/804-27-0x0000000074040000-0x00000000747F0000-memory.dmp

                                            Filesize

                                            7.7MB

                                          • memory/804-22-0x0000000005A60000-0x0000000005DB4000-memory.dmp

                                            Filesize

                                            3.3MB

                                          • memory/804-9-0x0000000002C10000-0x0000000002C20000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/804-15-0x0000000005980000-0x00000000059E6000-memory.dmp

                                            Filesize

                                            408KB

                                          • memory/804-13-0x0000000005070000-0x0000000005092000-memory.dmp

                                            Filesize

                                            136KB

                                          • memory/884-275-0x0000000000400000-0x000000000310E000-memory.dmp

                                            Filesize

                                            45.1MB

                                          • memory/884-271-0x0000000000400000-0x000000000310E000-memory.dmp

                                            Filesize

                                            45.1MB

                                          • memory/884-260-0x0000000000400000-0x000000000310E000-memory.dmp

                                            Filesize

                                            45.1MB

                                          • memory/884-279-0x0000000000400000-0x000000000310E000-memory.dmp

                                            Filesize

                                            45.1MB

                                          • memory/884-283-0x0000000000400000-0x000000000310E000-memory.dmp

                                            Filesize

                                            45.1MB

                                          • memory/1176-273-0x0000000000400000-0x00000000008DF000-memory.dmp

                                            Filesize

                                            4.9MB

                                          • memory/1176-281-0x0000000000400000-0x00000000008DF000-memory.dmp

                                            Filesize

                                            4.9MB

                                          • memory/2904-143-0x0000000070660000-0x00000000709B4000-memory.dmp

                                            Filesize

                                            3.3MB

                                          • memory/2904-139-0x0000000005560000-0x00000000058B4000-memory.dmp

                                            Filesize

                                            3.3MB

                                          • memory/2904-154-0x0000000074040000-0x00000000747F0000-memory.dmp

                                            Filesize

                                            7.7MB

                                          • memory/2904-142-0x000000006FEE0000-0x000000006FF2C000-memory.dmp

                                            Filesize

                                            304KB

                                          • memory/2904-127-0x0000000074040000-0x00000000747F0000-memory.dmp

                                            Filesize

                                            7.7MB

                                          • memory/2904-129-0x0000000000900000-0x0000000000910000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/2904-128-0x0000000000900000-0x0000000000910000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/4080-269-0x0000000000400000-0x00000000008DF000-memory.dmp

                                            Filesize

                                            4.9MB

                                          • memory/4496-8-0x00000000052F0000-0x0000000005BDB000-memory.dmp

                                            Filesize

                                            8.9MB

                                          • memory/4496-78-0x0000000000400000-0x000000000310E000-memory.dmp

                                            Filesize

                                            45.1MB

                                          • memory/4496-53-0x0000000000400000-0x000000000310E000-memory.dmp

                                            Filesize

                                            45.1MB

                                          • memory/4496-5-0x0000000004EE0000-0x00000000052E4000-memory.dmp

                                            Filesize

                                            4.0MB

                                          • memory/4496-4-0x0000000000400000-0x000000000310E000-memory.dmp

                                            Filesize

                                            45.1MB

                                          • memory/4496-3-0x0000000000400000-0x000000000310E000-memory.dmp

                                            Filesize

                                            45.1MB

                                          • memory/4496-1-0x0000000004EE0000-0x00000000052E4000-memory.dmp

                                            Filesize

                                            4.0MB

                                          • memory/4496-2-0x00000000052F0000-0x0000000005BDB000-memory.dmp

                                            Filesize

                                            8.9MB

                                          • memory/4636-111-0x0000000004DF0000-0x00000000051F5000-memory.dmp

                                            Filesize

                                            4.0MB

                                          • memory/4636-63-0x0000000004DF0000-0x00000000051F5000-memory.dmp

                                            Filesize

                                            4.0MB

                                          • memory/4636-112-0x0000000000400000-0x000000000310E000-memory.dmp

                                            Filesize

                                            45.1MB

                                          • memory/4636-64-0x0000000000400000-0x000000000310E000-memory.dmp

                                            Filesize

                                            45.1MB

                                          • memory/4636-175-0x0000000000400000-0x000000000310E000-memory.dmp

                                            Filesize

                                            45.1MB

                                          • memory/4732-113-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/4732-98-0x0000000074040000-0x00000000747F0000-memory.dmp

                                            Filesize

                                            7.7MB

                                          • memory/4732-114-0x000000006FEE0000-0x000000006FF2C000-memory.dmp

                                            Filesize

                                            304KB

                                          • memory/4732-100-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/4732-99-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/4732-115-0x0000000070680000-0x00000000709D4000-memory.dmp

                                            Filesize

                                            3.3MB

                                          • memory/4732-126-0x0000000074040000-0x00000000747F0000-memory.dmp

                                            Filesize

                                            7.7MB