Analysis
-
max time kernel
3s -
max time network
157s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe
Resource
win10v2004-20240412-en
General
-
Target
74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe
-
Size
4.2MB
-
MD5
907b31cc5de7fe55e8b7e6fae904c487
-
SHA1
7c5c32781742a8fc8b40611e53cbacd53444dedb
-
SHA256
74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf
-
SHA512
09d1a38a501d29447482c29f20ed9fefefb0d7e3bcc475e1f7206fa9cf67269655033dac82db6fd4ac1534e8d0abf9e53db4e887556ae990345fbe4a6e1d488b
-
SSDEEP
98304:hU4Iq03aI5N3yqqHwBEspKQ2DvCGo03KUue+T5:TIh7By/QBEsp+2hnf5
Malware Config
Signatures
-
Glupteba payload 19 IoCs
resource yara_rule behavioral2/memory/3964-2-0x0000000005370000-0x0000000005C5B000-memory.dmp family_glupteba behavioral2/memory/3964-3-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/3964-51-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/3964-52-0x0000000005370000-0x0000000005C5B000-memory.dmp family_glupteba behavioral2/memory/1908-54-0x0000000004E30000-0x000000000522A000-memory.dmp family_glupteba behavioral2/memory/1908-55-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1908-112-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1908-116-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1908-146-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1320-239-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1320-248-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1320-254-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1320-256-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1320-258-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1320-260-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1320-262-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1320-264-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1320-266-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/1320-268-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2356 netsh.exe -
resource yara_rule behavioral2/files/0x000200000002aa28-247.dat upx behavioral2/memory/2088-253-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4868-255-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4868-259-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2056 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4300 schtasks.exe 3092 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe"C:\Users\Admin\AppData\Local\Temp\74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe"1⤵PID:3964
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe"C:\Users\Admin\AppData\Local\Temp\74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe"2⤵PID:1908
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:2176
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:4128
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2356
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:1984
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:3068
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:1320
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4260
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4300
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4240
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2064
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:1404
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:2788
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3092
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:2088
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:876
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:2056
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:4868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD551ba793f0d159d9336c11e58259f716e
SHA1043e2c81055a95a9de624b4f921bd311b8dc877b
SHA2568b076bb8ce47157624f8115ab610e46ef870b7e3fe1e31b540d1009cea31b7b6
SHA5125496214fac589d6dbe5dca8987ceac8fb3306b85c47cd044c8c2795194748707bf11f8e9185d92dc34ce33660b5d59036ca12cfc2ff1f7a362b52e3338265d5c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5625b97d2ef7dd838071196f821a11866
SHA1eee159b1d135f591641a0a12da5667019924bc12
SHA256a333616ec806c6ad6ee538d53d79f832526a1b56f80c48616a29abc1aaefb436
SHA5127918f31c306396ea78acb88ed3e249f9f8de6fe73131b37565bfbcf82cc821d7a288dca45c36d18587723baf053b1b6bf151d574b8131e6e9f990e71cd6e429e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD54f3115d60e2918c5caa8007102f8fb01
SHA1d45b5779f7c7f891311778182ce9ea6034c53fd9
SHA25631866f5a878db9b63fa8f6ca7bb47a9351bf2a54f6650aeac02180da35dbde64
SHA512b59380b1b412be29044b5701e33549af81d59b74115c97bbaf85bfd2e7474b4f1d40615d3c2011bb1c1669f9864b7843308cc19333cac75e9625a3767e448396
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5bfbc1adf5f4bf2b9fa6388b34bb2f96b
SHA1463c1da3020e69d6e29e5ffd00e77afbdc114f11
SHA25651d920a24f2fa8cd9fb9280fffa412ea19eaed377917a03eb77b01943240611d
SHA512095d2ed91b2e18e71976f74089349d890998d02940db40a38a62f7281d402e722b9b5a3e1571da47ea036ef12f12f1c5d7ab06f60de40a7d4084c1400b54e2c4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5be7b06955fef79b474685b696d34e48b
SHA16bab52d749e197142f496f4aa29395c0e07dc608
SHA256a0e07e9031cff77923002ec5bf9310481562ffe9d7f59307a7434aa23b0a7888
SHA51290203d4371d4b763907fd37c9d027e352b2969b5e6bbcadecb443c8c9537bcced6ba406d4c1a76956f6e7d6f82b5d83fd1c8eb111dee9794c242d8a88cc9c9a5
-
Filesize
4.2MB
MD5907b31cc5de7fe55e8b7e6fae904c487
SHA17c5c32781742a8fc8b40611e53cbacd53444dedb
SHA25674f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf
SHA51209d1a38a501d29447482c29f20ed9fefefb0d7e3bcc475e1f7206fa9cf67269655033dac82db6fd4ac1534e8d0abf9e53db4e887556ae990345fbe4a6e1d488b
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec