Analysis

  • max time kernel
    3s
  • max time network
    157s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17/04/2024, 20:03

General

  • Target

    74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe

  • Size

    4.2MB

  • MD5

    907b31cc5de7fe55e8b7e6fae904c487

  • SHA1

    7c5c32781742a8fc8b40611e53cbacd53444dedb

  • SHA256

    74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf

  • SHA512

    09d1a38a501d29447482c29f20ed9fefefb0d7e3bcc475e1f7206fa9cf67269655033dac82db6fd4ac1534e8d0abf9e53db4e887556ae990345fbe4a6e1d488b

  • SSDEEP

    98304:hU4Iq03aI5N3yqqHwBEspKQ2DvCGo03KUue+T5:TIh7By/QBEsp+2hnf5

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

Processes

  • C:\Users\Admin\AppData\Local\Temp\74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe
    "C:\Users\Admin\AppData\Local\Temp\74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe"
    1⤵
      PID:3964
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        2⤵
          PID:3536
        • C:\Users\Admin\AppData\Local\Temp\74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe
          "C:\Users\Admin\AppData\Local\Temp\74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf.exe"
          2⤵
            PID:1908
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
                PID:2176
              • C:\Windows\system32\cmd.exe
                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                3⤵
                  PID:4128
                  • C:\Windows\system32\netsh.exe
                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                    4⤵
                    • Modifies Windows Firewall
                    PID:2356
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  3⤵
                    PID:1984
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    3⤵
                      PID:3068
                    • C:\Windows\rss\csrss.exe
                      C:\Windows\rss\csrss.exe
                      3⤵
                        PID:1320
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -nologo -noprofile
                          4⤵
                            PID:4260
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                            4⤵
                            • Creates scheduled task(s)
                            PID:4300
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /delete /tn ScheduledUpdate /f
                            4⤵
                              PID:4240
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -nologo -noprofile
                              4⤵
                                PID:2064
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell -nologo -noprofile
                                4⤵
                                  PID:1404
                                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                  4⤵
                                    PID:2788
                                  • C:\Windows\SYSTEM32\schtasks.exe
                                    schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                    4⤵
                                    • Creates scheduled task(s)
                                    PID:3092
                                  • C:\Windows\windefender.exe
                                    "C:\Windows\windefender.exe"
                                    4⤵
                                      PID:2088
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                        5⤵
                                          PID:876
                                          • C:\Windows\SysWOW64\sc.exe
                                            sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                            6⤵
                                            • Launches sc.exe
                                            PID:2056
                                • C:\Windows\windefender.exe
                                  C:\Windows\windefender.exe
                                  1⤵
                                    PID:4868

                                  Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y3nep2zk.tqx.ps1

                                          Filesize

                                          60B

                                          MD5

                                          d17fe0a3f47be24a6453e9ef58c94641

                                          SHA1

                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                          SHA256

                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                          SHA512

                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                          Filesize

                                          281KB

                                          MD5

                                          d98e33b66343e7c96158444127a117f6

                                          SHA1

                                          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                                          SHA256

                                          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                                          SHA512

                                          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                          Filesize

                                          2KB

                                          MD5

                                          ac4917a885cf6050b1a483e4bc4d2ea5

                                          SHA1

                                          b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

                                          SHA256

                                          e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

                                          SHA512

                                          092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                          Filesize

                                          19KB

                                          MD5

                                          51ba793f0d159d9336c11e58259f716e

                                          SHA1

                                          043e2c81055a95a9de624b4f921bd311b8dc877b

                                          SHA256

                                          8b076bb8ce47157624f8115ab610e46ef870b7e3fe1e31b540d1009cea31b7b6

                                          SHA512

                                          5496214fac589d6dbe5dca8987ceac8fb3306b85c47cd044c8c2795194748707bf11f8e9185d92dc34ce33660b5d59036ca12cfc2ff1f7a362b52e3338265d5c

                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                          Filesize

                                          19KB

                                          MD5

                                          625b97d2ef7dd838071196f821a11866

                                          SHA1

                                          eee159b1d135f591641a0a12da5667019924bc12

                                          SHA256

                                          a333616ec806c6ad6ee538d53d79f832526a1b56f80c48616a29abc1aaefb436

                                          SHA512

                                          7918f31c306396ea78acb88ed3e249f9f8de6fe73131b37565bfbcf82cc821d7a288dca45c36d18587723baf053b1b6bf151d574b8131e6e9f990e71cd6e429e

                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                          Filesize

                                          19KB

                                          MD5

                                          4f3115d60e2918c5caa8007102f8fb01

                                          SHA1

                                          d45b5779f7c7f891311778182ce9ea6034c53fd9

                                          SHA256

                                          31866f5a878db9b63fa8f6ca7bb47a9351bf2a54f6650aeac02180da35dbde64

                                          SHA512

                                          b59380b1b412be29044b5701e33549af81d59b74115c97bbaf85bfd2e7474b4f1d40615d3c2011bb1c1669f9864b7843308cc19333cac75e9625a3767e448396

                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                          Filesize

                                          19KB

                                          MD5

                                          bfbc1adf5f4bf2b9fa6388b34bb2f96b

                                          SHA1

                                          463c1da3020e69d6e29e5ffd00e77afbdc114f11

                                          SHA256

                                          51d920a24f2fa8cd9fb9280fffa412ea19eaed377917a03eb77b01943240611d

                                          SHA512

                                          095d2ed91b2e18e71976f74089349d890998d02940db40a38a62f7281d402e722b9b5a3e1571da47ea036ef12f12f1c5d7ab06f60de40a7d4084c1400b54e2c4

                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                          Filesize

                                          19KB

                                          MD5

                                          be7b06955fef79b474685b696d34e48b

                                          SHA1

                                          6bab52d749e197142f496f4aa29395c0e07dc608

                                          SHA256

                                          a0e07e9031cff77923002ec5bf9310481562ffe9d7f59307a7434aa23b0a7888

                                          SHA512

                                          90203d4371d4b763907fd37c9d027e352b2969b5e6bbcadecb443c8c9537bcced6ba406d4c1a76956f6e7d6f82b5d83fd1c8eb111dee9794c242d8a88cc9c9a5

                                        • C:\Windows\rss\csrss.exe

                                          Filesize

                                          4.2MB

                                          MD5

                                          907b31cc5de7fe55e8b7e6fae904c487

                                          SHA1

                                          7c5c32781742a8fc8b40611e53cbacd53444dedb

                                          SHA256

                                          74f2085f408109b12acdf53a577675a0e31a133b3e6c13b2f116327abaf0f0bf

                                          SHA512

                                          09d1a38a501d29447482c29f20ed9fefefb0d7e3bcc475e1f7206fa9cf67269655033dac82db6fd4ac1534e8d0abf9e53db4e887556ae990345fbe4a6e1d488b

                                        • C:\Windows\windefender.exe

                                          Filesize

                                          2.0MB

                                          MD5

                                          8e67f58837092385dcf01e8a2b4f5783

                                          SHA1

                                          012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                                          SHA256

                                          166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                                          SHA512

                                          40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                                        • memory/1320-264-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1320-254-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1320-256-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1320-248-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1320-258-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1320-260-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1320-239-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1320-262-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1320-266-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1320-268-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1320-270-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1320-272-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1908-55-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1908-116-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1908-54-0x0000000004E30000-0x000000000522A000-memory.dmp

                                          Filesize

                                          4.0MB

                                        • memory/1908-90-0x0000000004E30000-0x000000000522A000-memory.dmp

                                          Filesize

                                          4.0MB

                                        • memory/1908-112-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1908-146-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/1984-101-0x0000000002920000-0x0000000002930000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/1984-102-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/1984-103-0x0000000071030000-0x0000000071387000-memory.dmp

                                          Filesize

                                          3.3MB

                                        • memory/1984-113-0x000000007F470000-0x000000007F480000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/1984-91-0x0000000005780000-0x0000000005AD7000-memory.dmp

                                          Filesize

                                          3.3MB

                                        • memory/1984-89-0x0000000002920000-0x0000000002930000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/1984-88-0x0000000002920000-0x0000000002930000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/1984-115-0x0000000074B00000-0x00000000752B1000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/1984-87-0x0000000074B00000-0x00000000752B1000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/2088-253-0x0000000000400000-0x00000000008DF000-memory.dmp

                                          Filesize

                                          4.9MB

                                        • memory/2176-58-0x0000000000970000-0x0000000000980000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2176-57-0x0000000000970000-0x0000000000980000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2176-67-0x0000000005590000-0x00000000058E7000-memory.dmp

                                          Filesize

                                          3.3MB

                                        • memory/2176-68-0x0000000005FC0000-0x000000000600C000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/2176-69-0x0000000000970000-0x0000000000980000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2176-71-0x0000000070FD0000-0x0000000071327000-memory.dmp

                                          Filesize

                                          3.3MB

                                        • memory/2176-80-0x0000000006CA0000-0x0000000006D44000-memory.dmp

                                          Filesize

                                          656KB

                                        • memory/2176-70-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/2176-81-0x0000000006FC0000-0x0000000006FD1000-memory.dmp

                                          Filesize

                                          68KB

                                        • memory/2176-82-0x0000000007010000-0x0000000007025000-memory.dmp

                                          Filesize

                                          84KB

                                        • memory/2176-85-0x0000000074B00000-0x00000000752B1000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/2176-56-0x0000000074B00000-0x00000000752B1000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/3068-130-0x000000007FAD0000-0x000000007FAE0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/3068-127-0x0000000005D00000-0x0000000006057000-memory.dmp

                                          Filesize

                                          3.3MB

                                        • memory/3068-131-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/3068-129-0x0000000002850000-0x0000000002860000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/3068-125-0x0000000074B00000-0x00000000752B1000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/3068-126-0x0000000002850000-0x0000000002860000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/3536-38-0x0000000007E00000-0x0000000007EA4000-memory.dmp

                                          Filesize

                                          656KB

                                        • memory/3536-26-0x0000000007DC0000-0x0000000007DF4000-memory.dmp

                                          Filesize

                                          208KB

                                        • memory/3536-43-0x0000000007F80000-0x0000000007F91000-memory.dmp

                                          Filesize

                                          68KB

                                        • memory/3536-42-0x0000000008070000-0x0000000008106000-memory.dmp

                                          Filesize

                                          600KB

                                        • memory/3536-41-0x0000000007F60000-0x0000000007F6A000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/3536-39-0x0000000008560000-0x0000000008BDA000-memory.dmp

                                          Filesize

                                          6.5MB

                                        • memory/3536-40-0x0000000007F20000-0x0000000007F3A000-memory.dmp

                                          Filesize

                                          104KB

                                        • memory/3536-45-0x0000000007FE0000-0x0000000007FF5000-memory.dmp

                                          Filesize

                                          84KB

                                        • memory/3536-46-0x0000000008030000-0x000000000804A000-memory.dmp

                                          Filesize

                                          104KB

                                        • memory/3536-28-0x0000000070E50000-0x00000000711A7000-memory.dmp

                                          Filesize

                                          3.3MB

                                        • memory/3536-47-0x0000000008050000-0x0000000008058000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/3536-50-0x0000000074A60000-0x0000000075211000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/3536-4-0x0000000003430000-0x0000000003466000-memory.dmp

                                          Filesize

                                          216KB

                                        • memory/3536-5-0x0000000074A60000-0x0000000075211000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/3536-37-0x0000000007DA0000-0x0000000007DBE000-memory.dmp

                                          Filesize

                                          120KB

                                        • memory/3536-6-0x0000000005BF0000-0x000000000621A000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/3536-27-0x0000000070CD0000-0x0000000070D1C000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/3536-44-0x0000000007FD0000-0x0000000007FDE000-memory.dmp

                                          Filesize

                                          56KB

                                        • memory/3536-25-0x000000007F290000-0x000000007F2A0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/3536-24-0x00000000055B0000-0x00000000055C0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/3536-23-0x0000000006E90000-0x0000000006ED6000-memory.dmp

                                          Filesize

                                          280KB

                                        • memory/3536-22-0x0000000006950000-0x000000000699C000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/3536-21-0x0000000006920000-0x000000000693E000-memory.dmp

                                          Filesize

                                          120KB

                                        • memory/3536-20-0x00000000063F0000-0x0000000006747000-memory.dmp

                                          Filesize

                                          3.3MB

                                        • memory/3536-16-0x0000000006380000-0x00000000063E6000-memory.dmp

                                          Filesize

                                          408KB

                                        • memory/3536-7-0x00000000055B0000-0x00000000055C0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/3536-10-0x0000000006220000-0x0000000006286000-memory.dmp

                                          Filesize

                                          408KB

                                        • memory/3536-9-0x0000000005B30000-0x0000000005B52000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/3536-8-0x00000000055B0000-0x00000000055C0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/3964-52-0x0000000005370000-0x0000000005C5B000-memory.dmp

                                          Filesize

                                          8.9MB

                                        • memory/3964-51-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/3964-1-0x0000000004F60000-0x0000000005362000-memory.dmp

                                          Filesize

                                          4.0MB

                                        • memory/3964-3-0x0000000000400000-0x0000000003118000-memory.dmp

                                          Filesize

                                          45.1MB

                                        • memory/3964-2-0x0000000005370000-0x0000000005C5B000-memory.dmp

                                          Filesize

                                          8.9MB

                                        • memory/4868-259-0x0000000000400000-0x00000000008DF000-memory.dmp

                                          Filesize

                                          4.9MB

                                        • memory/4868-255-0x0000000000400000-0x00000000008DF000-memory.dmp

                                          Filesize

                                          4.9MB