Analysis
-
max time kernel
1s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe
Resource
win10v2004-20240412-en
General
-
Target
4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe
-
Size
4.2MB
-
MD5
a00d1477523f7e89af556f3bab439d45
-
SHA1
ed6032277700addaf11e7e8f7e18aa9279c4bdb6
-
SHA256
4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6
-
SHA512
e2e5bebe16c6162db1c474c34a1e116618dce43a08e1c21fedd4f07ce020215e14fad0de4aa46f8033ce6c81bcf1c783d324fc2ae52e483ea446a113a5c607ac
-
SSDEEP
98304:ZU4Iq03aI5N3yqqHwBEspKQ2DvCGo03KUue+TK:rIh7By/QBEsp+2hnfK
Malware Config
Signatures
-
Glupteba payload 19 IoCs
resource yara_rule behavioral1/memory/4884-2-0x0000000005260000-0x0000000005B4B000-memory.dmp family_glupteba behavioral1/memory/4884-3-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/2516-56-0x0000000005240000-0x0000000005B2B000-memory.dmp family_glupteba behavioral1/memory/2516-68-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/4884-71-0x0000000005260000-0x0000000005B4B000-memory.dmp family_glupteba behavioral1/memory/4884-85-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/2516-232-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/844-256-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/844-267-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/844-271-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/844-275-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/844-279-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/844-283-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/844-287-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/844-291-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/844-295-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/844-299-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/844-303-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/844-307-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1576 netsh.exe -
resource yara_rule behavioral1/files/0x0008000000023417-261.dat upx behavioral1/memory/3676-264-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4736-269-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4736-277-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3240 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3560 schtasks.exe 1612 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe"C:\Users\Admin\AppData\Local\Temp\4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe"1⤵PID:4884
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe"C:\Users\Admin\AppData\Local\Temp\4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe"2⤵PID:2516
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:3536
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:2024
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1576
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:1244
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:3892
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:844
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4412
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3560
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4236
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2584
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2320
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:1216
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1612
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:3676
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:2244
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:3240
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:4736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5e9720063759b667f4c6aec70a6f61f27
SHA18a5216c68f5f6e28c1b0d4f66ff980ec7f744638
SHA256e7dd5e70c9ce25107c480c27689ab237d477f489a580227b945984740ea5b05e
SHA5129ed914b750b74da635ba60af70c5cfb3fe8f0d4bf18a8afb549c11c3214fcc13b6a22fca0e99a9828ba55003611d431c75d3d990a298d89d433693a70e24d17b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5ad5123924c49cbba06b83adf8cfe2076
SHA1a34eb4dac442b99de141fbe7baa8b815913d17de
SHA256f1f9cbb177fb51287813ba3f9852c13ea26cf6fdfa37609d9c993b9b7e44d220
SHA512319f4c7522513cd9be7850527670134a511437b986f4ba9c7673adfdbc87406ad6f44fa77ea6770df5d147859541383cba16be3afa02f98a8d8bf73fd7e127ac
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5d35f4ace5451ad7da7177a4d0ee57e88
SHA1ad3267a24fc05e5e1dfa2f9b8f0ad4640ee21ac5
SHA256658f90ffe7b762032911dac61b3d99d8dfe9252451baabc739ea0f1e7765dd25
SHA512cf2ff620b9c34d84aeee30a15172dec226091eeb996868da0c322dcf8d3c6212fd90e71184ac13b0761e251557a58a8d0f15fc9c1f38c38678712e81c5bd5ca3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD560b1ae0ce24612586fc71ac34ed7a1be
SHA1c01600bde3c8e0268394d2721040a3942bb54f2c
SHA256b7cfe1f805b865d380b3174c8e1a12e052d26aae4a53cc0f6c558f8abd0bbe9f
SHA5125f9a1d5bd15be2d26a13ddea8633d2eacd15aeb0a394f85ee220288f504d4a71e1116e778622ced7da38687eb13370d39f197afa05725cc013f8caba8e91986b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5862cd745e1237ea6ce3f6cfd869baeee
SHA1687907a5e87a0dff5fc4bb85d03abb3a8b076f1f
SHA256c3c88c43bbe8c54d6835b5780d42d3a29e09872a41a5a13f5031ba5559b06f7c
SHA5120ede04aca17f3ae0d1328eb9b920d72a0292a908cb9e20729e8363cb83de773a22d21c45ef6de46e5a80238e211375826afc39edff0162ad1747da30c3dbe0b5
-
Filesize
4.2MB
MD5a00d1477523f7e89af556f3bab439d45
SHA1ed6032277700addaf11e7e8f7e18aa9279c4bdb6
SHA2564c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6
SHA512e2e5bebe16c6162db1c474c34a1e116618dce43a08e1c21fedd4f07ce020215e14fad0de4aa46f8033ce6c81bcf1c783d324fc2ae52e483ea446a113a5c607ac
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec