Analysis
-
max time kernel
69s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
18-04-2024 22:38
General
-
Target
535660abe2d68460b6c85ea61b1664c849746b4b9705b9d6bbe8988fac217315.exe
-
Size
4.2MB
-
MD5
03a21809d83e0e195231b0c3ca9e437e
-
SHA1
ee0eba108107044e7f5d55dba7e2ed8eed1975a0
-
SHA256
535660abe2d68460b6c85ea61b1664c849746b4b9705b9d6bbe8988fac217315
-
SHA512
95cde5aa17abd96b07099e8a07e3c7e535d99e7933f1f4cf284c8275c0e1ee9a454ceceb29e7000217961cde48a22aab6a11a882406e19c97d328d934a179439
-
SSDEEP
98304:WtjN4XUN5lD056p7XAm0hR9X9T5AEVb4a7iAHgos518N4:7RATQPX9T5A6hiAH2518q
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 37 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\535660abe2d68460b6c85ea61b1664c849746b4b9705b9d6bbe8988fac217315.exe"C:\Users\Admin\AppData\Local\Temp\535660abe2d68460b6c85ea61b1664c849746b4b9705b9d6bbe8988fac217315.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\535660abe2d68460b6c85ea61b1664c849746b4b9705b9d6bbe8988fac217315.exe"C:\Users\Admin\AppData\Local\Temp\535660abe2d68460b6c85ea61b1664c849746b4b9705b9d6bbe8988fac217315.exe"2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rsph0qav.zfo.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD52f045d31b223040af49099172a21490b
SHA1d8864910005287dbc027d44280c44f79adbea417
SHA256413b313af2f9d578965b5ba1b5032243850a71abc9cfd31da84069e8dc01bffc
SHA5126f40cb62786b8c98c57df14970bb8ec089cc9ec693224339e521eb7d439a0b6daeae1949982b53d9a8e1b5bd4ba410763931a90d46ee02e60d61ab56000446e4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5778ef93d765f867611b7e0e33cf4bc77
SHA12e0bef35d43077dda8f3313f4c540fc9e2c06cbd
SHA256836ed32ab71d80fed049238752413b356d6f53c266ccd41fa97b2eb20dfef402
SHA512ed1d5d80c45f1adb0336fd23819a1aa94d56cb5b238d64a5efa2811dd6f5632c0db7d7508bebb31be9eb809e5203fd52e28929221e0329d3d681924bcf5904a6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD58eaeaf43f83790ef5b25b4cc3f817908
SHA12ff15b28db0dfc0790f7a3e53172a6c0b80baf41
SHA25608c0a50bd7d8d8cc5eecb1ef2bdbb88da2f95aec809286db9580ac1cdbd66b04
SHA5123c8a4270bb8222576ae07fc182f6edce0f43a232002a6643651a3e85f853737663e7293b072d38e75905ab8e0b77c572f64e77cfa61e1bc7e20769ca24bb201b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD513b8360cb49df006d39ed39e0cff70af
SHA1bdd5fc64dddd9768001b5de240c535f1f6ad9dce
SHA2561e2648cf88c10c2035b438a5a8d127875ae0b13923602b92880594297bb8535f
SHA5128532d6eac0870e7419d3677c023895c6420a3898bda8905e93c2b53053680403646c596cfb335b655d1d9d323a303d003b46387e36fd5a8fda2237f51ed2795f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5078be4f563e97e375033b51953fa1417
SHA1a13b9474842acb1747c2350375fd0754cef94648
SHA2563dbe078a3478b2a79caa28203e747693dac167b4128a4fb261bde9ea63500b22
SHA512bed7f9b6888d9e2b4a0cb3abb5abacf7803204d21483c8add9113602ba2d1e4acd3e4342505d6d0963f1a0bb3fcd4afa9d980a32dbef6082f16d635ae57a7609
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD503a21809d83e0e195231b0c3ca9e437e
SHA1ee0eba108107044e7f5d55dba7e2ed8eed1975a0
SHA256535660abe2d68460b6c85ea61b1664c849746b4b9705b9d6bbe8988fac217315
SHA51295cde5aa17abd96b07099e8a07e3c7e535d99e7933f1f4cf284c8275c0e1ee9a454ceceb29e7000217961cde48a22aab6a11a882406e19c97d328d934a179439
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/232-282-0x000000000A8B0000-0x000000000A8B8000-memory.dmpFilesize
32KB
-
memory/232-12-0x00000000082B0000-0x0000000008316000-memory.dmpFilesize
408KB
-
memory/232-15-0x0000000008770000-0x000000000878C000-memory.dmpFilesize
112KB
-
memory/232-16-0x00000000087C0000-0x000000000880B000-memory.dmpFilesize
300KB
-
memory/232-13-0x0000000008320000-0x0000000008386000-memory.dmpFilesize
408KB
-
memory/232-35-0x0000000008CC0000-0x0000000008CFC000-memory.dmpFilesize
240KB
-
memory/232-66-0x00000000098D0000-0x0000000009946000-memory.dmpFilesize
472KB
-
memory/232-76-0x00000000707B0000-0x0000000070B00000-memory.dmpFilesize
3.3MB
-
memory/232-77-0x000000000A6F0000-0x000000000A70E000-memory.dmpFilesize
120KB
-
memory/232-82-0x000000000A750000-0x000000000A7F5000-memory.dmpFilesize
660KB
-
memory/232-75-0x0000000070760000-0x00000000707AB000-memory.dmpFilesize
300KB
-
memory/232-74-0x000000007F370000-0x000000007F380000-memory.dmpFilesize
64KB
-
memory/232-73-0x000000000A710000-0x000000000A743000-memory.dmpFilesize
204KB
-
memory/232-83-0x00000000074D0000-0x00000000074E0000-memory.dmpFilesize
64KB
-
memory/232-84-0x000000000A970000-0x000000000AA04000-memory.dmpFilesize
592KB
-
memory/232-277-0x000000000A8D0000-0x000000000A8EA000-memory.dmpFilesize
104KB
-
memory/232-7-0x0000000073A50000-0x000000007413E000-memory.dmpFilesize
6.9MB
-
memory/232-6-0x0000000004F60000-0x0000000004F96000-memory.dmpFilesize
216KB
-
memory/232-8-0x00000000074D0000-0x00000000074E0000-memory.dmpFilesize
64KB
-
memory/232-302-0x0000000073A50000-0x000000007413E000-memory.dmpFilesize
6.9MB
-
memory/232-9-0x00000000074D0000-0x00000000074E0000-memory.dmpFilesize
64KB
-
memory/232-10-0x0000000007B10000-0x0000000008138000-memory.dmpFilesize
6.2MB
-
memory/232-14-0x0000000008390000-0x00000000086E0000-memory.dmpFilesize
3.3MB
-
memory/232-11-0x00000000079E0000-0x0000000007A02000-memory.dmpFilesize
136KB
-
memory/2284-1834-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1086-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1826-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1824-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1822-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1820-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1818-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1815-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1830-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1832-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1803-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1858-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1856-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1854-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1060-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1058-0x0000000005500000-0x0000000005DEB000-memory.dmpFilesize
8.9MB
-
memory/2284-1852-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1828-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1836-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1838-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1840-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1842-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1057-0x0000000005100000-0x00000000054F9000-memory.dmpFilesize
4.0MB
-
memory/2284-1848-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1850-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1846-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2284-1844-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/2748-311-0x0000000007030000-0x0000000007040000-memory.dmpFilesize
64KB
-
memory/2748-340-0x00000000098E0000-0x0000000009985000-memory.dmpFilesize
660KB
-
memory/2748-312-0x0000000007030000-0x0000000007040000-memory.dmpFilesize
64KB
-
memory/2748-341-0x000000007F400000-0x000000007F410000-memory.dmpFilesize
64KB
-
memory/2748-342-0x0000000007030000-0x0000000007040000-memory.dmpFilesize
64KB
-
memory/2748-335-0x00000000708D0000-0x0000000070C20000-memory.dmpFilesize
3.3MB
-
memory/2748-313-0x0000000007E80000-0x00000000081D0000-memory.dmpFilesize
3.3MB
-
memory/2748-314-0x00000000087F0000-0x000000000883B000-memory.dmpFilesize
300KB
-
memory/2748-334-0x0000000070880000-0x00000000708CB000-memory.dmpFilesize
300KB
-
memory/2748-556-0x0000000073B50000-0x000000007423E000-memory.dmpFilesize
6.9MB
-
memory/2748-310-0x0000000073B50000-0x000000007423E000-memory.dmpFilesize
6.9MB
-
memory/4156-583-0x0000000070880000-0x00000000708CB000-memory.dmpFilesize
300KB
-
memory/4156-560-0x0000000073B50000-0x000000007423E000-memory.dmpFilesize
6.9MB
-
memory/4156-562-0x0000000005310000-0x0000000005320000-memory.dmpFilesize
64KB
-
memory/4156-561-0x0000000005310000-0x0000000005320000-memory.dmpFilesize
64KB
-
memory/4156-803-0x0000000073B50000-0x000000007423E000-memory.dmpFilesize
6.9MB
-
memory/4156-584-0x00000000708D0000-0x0000000070C20000-memory.dmpFilesize
3.3MB
-
memory/4156-590-0x0000000005310000-0x0000000005320000-memory.dmpFilesize
64KB
-
memory/4376-1825-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4436-1062-0x0000000073AB0000-0x000000007419E000-memory.dmpFilesize
6.9MB
-
memory/4556-309-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/4556-333-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/4556-1054-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/4556-306-0x0000000004CB0000-0x00000000050AB000-memory.dmpFilesize
4.0MB
-
memory/4556-582-0x0000000004CB0000-0x00000000050AB000-memory.dmpFilesize
4.0MB
-
memory/4556-829-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/4556-589-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/4756-1816-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4928-1050-0x0000000073B50000-0x000000007423E000-memory.dmpFilesize
6.9MB
-
memory/4928-830-0x0000000070880000-0x00000000708CB000-memory.dmpFilesize
300KB
-
memory/4928-807-0x00000000054B0000-0x00000000054C0000-memory.dmpFilesize
64KB
-
memory/4928-806-0x0000000073B50000-0x000000007423E000-memory.dmpFilesize
6.9MB
-
memory/4928-837-0x00000000054B0000-0x00000000054C0000-memory.dmpFilesize
64KB
-
memory/4928-836-0x000000007E270000-0x000000007E280000-memory.dmpFilesize
64KB
-
memory/4928-831-0x00000000708F0000-0x0000000070C40000-memory.dmpFilesize
3.3MB
-
memory/4928-808-0x00000000054B0000-0x00000000054C0000-memory.dmpFilesize
64KB
-
memory/4928-809-0x0000000008310000-0x0000000008660000-memory.dmpFilesize
3.3MB
-
memory/5028-2-0x0000000005240000-0x0000000005B2B000-memory.dmpFilesize
8.9MB
-
memory/5028-300-0x0000000004E30000-0x0000000005238000-memory.dmpFilesize
4.0MB
-
memory/5028-303-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/5028-305-0x0000000005240000-0x0000000005B2B000-memory.dmpFilesize
8.9MB
-
memory/5028-3-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/5028-299-0x0000000000400000-0x0000000003017000-memory.dmpFilesize
44.1MB
-
memory/5028-1-0x0000000004E30000-0x0000000005238000-memory.dmpFilesize
4.0MB