Analysis
-
max time kernel
23s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe
Resource
win10v2004-20240226-en
General
-
Target
71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe
-
Size
4.2MB
-
MD5
62dc86ed5cec63e5ccb959c407a4a591
-
SHA1
2070a84ba529d62ee28745bbc5c810bfbb9b721c
-
SHA256
71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1
-
SHA512
de79eeef9db2c8ffc50fc843a397f3bd48d61a52287ecc13ab32093a4405bf3c338cb87f4bf71f76c1e7e6e30dca6a4cc683657009558ff6b7ac11295884dc3c
-
SSDEEP
98304:RU4Iq03aI5N3yqqHwBEspKQ2DvCGo03KUue+TU:DIh7By/QBEsp+2hnfU
Malware Config
Signatures
-
Glupteba payload 17 IoCs
resource yara_rule behavioral1/memory/948-2-0x00000000052D0000-0x0000000005BBB000-memory.dmp family_glupteba behavioral1/memory/948-3-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/948-4-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/948-29-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/948-49-0x00000000052D0000-0x0000000005BBB000-memory.dmp family_glupteba behavioral1/memory/948-57-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1520-60-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1520-93-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1520-155-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3944-221-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3944-257-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3944-267-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3944-270-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3944-273-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3944-276-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3944-279-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/3944-282-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3896 netsh.exe -
resource yara_rule behavioral1/files/0x00030000000219e9-260.dat upx behavioral1/memory/4484-265-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/3924-268-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/3924-274-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2512 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1444 schtasks.exe 448 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4324 powershell.exe 4324 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4324 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 948 wrote to memory of 4324 948 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 92 PID 948 wrote to memory of 4324 948 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 92 PID 948 wrote to memory of 4324 948 71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe"C:\Users\Admin\AppData\Local\Temp\71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Users\Admin\AppData\Local\Temp\71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe"C:\Users\Admin\AppData\Local\Temp\71f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1.exe"2⤵PID:1520
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:3156
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:1392
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3896
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:1428
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:1076
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:3944
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4484
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1444
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2348
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4656
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:508
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:452
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:448
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:4484
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:4860
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:2512
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:5044
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:3924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD515f41655c09d01cafbc0656c46547fcc
SHA1652f23511aea564014f5d5448402295146d45f01
SHA2566564bed4e87a0f5b40d06864fb11617278b75ee10512d3d3615dacc07d65a159
SHA512a9644b1f3c02d8ab488a1ce689afc14a1683e37b0f07959e430378d773f59cb149194515725e77ca5a75b6466553eceec67690249c2969fc5eed99df1064a0fb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD50b5f1c3ec30c88491994bfbb58b648cc
SHA14313810e9013334fc1dc39f8f70b6a3505921e9e
SHA256d789aefc6393951ba71688f57647c7a58f44a2b7270af7816eb4fd37a2d3e36b
SHA512cf9c32930a2ce6f74883d8f48631b6df9fdfda8522a90e48555f6a78b2450c7249c2915165f134219acf035a756371284e16255662fece6d77d25d21031edc00
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5e7af9a69a040c54c739b2bd747751cfc
SHA13e2512d213ab4b191871d918b19089a863902faf
SHA256070406875a4e50e28decc426150d552886d4ea03ed8c1ddb825be264bdbe8916
SHA51277d7623d3fc37eca2f735090e24712e0cad8558e9a700988f134c27346964a4c2fc14cc23904b665ea588fe5330e193b2baad52b09b1aa3ec47b499978365da0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5ac98381bc04410674d2478be9264cb9f
SHA1924dc7b97af3807f050f30b43e3acaeaa28189a8
SHA256d82796e2532816ba99c5b76ace8e24d0ef5cb9b246fa10e193449fa670da43e9
SHA512442f85ac792eac3aa5702e62c13890f563e6542689edff4a45bbced84a0dd7680ec37cee62b540686de13e3e0ae82c7594569cff92190a77ceead60167f7ed9f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD52125bb5ca95db99afb3e66c9610ab8e4
SHA10aca4667e020dd363945a971cd4d5d110a85c646
SHA256fda423aeca8bcf7be286ed87d8ea872903b102bedd83798471ba3901e158ba5e
SHA512c7239bd924737e058dc14395956e867b564fee8314edddd1c8bb442ffb8e692a752b86af0fec0348b66554bc64e2950c9779e6a60b03123f9e8ba04d97d709ad
-
Filesize
4.2MB
MD562dc86ed5cec63e5ccb959c407a4a591
SHA12070a84ba529d62ee28745bbc5c810bfbb9b721c
SHA25671f340c235577a1f93b73d1dc4d2dde146c843510db05ae6c098380ab53bc6b1
SHA512de79eeef9db2c8ffc50fc843a397f3bd48d61a52287ecc13ab32093a4405bf3c338cb87f4bf71f76c1e7e6e30dca6a4cc683657009558ff6b7ac11295884dc3c
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec