Analysis

  • max time kernel
    152s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2024, 22:18

General

  • Target

    63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe

  • Size

    4.2MB

  • MD5

    1765eea0ab2534803ef6c66bc577050e

  • SHA1

    125c83448ae731cae23bf610c10442c6f65142f2

  • SHA256

    63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43

  • SHA512

    f7d6c60c886d6b3683cfaec2bdf7fde5027dd9bb80de59266a758262eebbf8f102ecdd73448841813e446c79c780a3401e24196cbd332d5c66fa99fcd376ace1

  • SSDEEP

    98304:8U3hL1ts8dbSY9vNf0GiZt5Zc1goZjyjpOQ2UuV2d5K67AFdMy:NxL1dd9NNfxiZt5CKGmjpOQTQe7Dy

Score
10/10

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 9 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 7 IoCs
  • Detects executables Discord URL observed in first stage droppers 7 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 7 IoCs
  • Detects executables containing artifacts associated with disabling Widnows Defender 7 IoCs
  • Detects executables referencing many varying, potentially fake Windows User-Agents 7 IoCs
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe
    "C:\Users\Admin\AppData\Local\Temp\63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2484
    • C:\Users\Admin\AppData\Local\Temp\63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe
      "C:\Users\Admin\AppData\Local\Temp\63ce7e2a7f6c57e6fe2e118f5778f61c6a5e9d49474b56a2b994524639c72e43.exe"
      2⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4144
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4168
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 780
      2⤵
      • Program crash
      PID:2924
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2796
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3264 -ip 3264
      1⤵
        PID:1968

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rix1fyki.lmi.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • memory/2484-45-0x00000000070C0000-0x00000000070F2000-memory.dmp

              Filesize

              200KB

            • memory/2484-67-0x00000000072C0000-0x00000000072DA000-memory.dmp

              Filesize

              104KB

            • memory/2484-44-0x000000007FC30000-0x000000007FC40000-memory.dmp

              Filesize

              64KB

            • memory/2484-71-0x00000000749F0000-0x00000000751A0000-memory.dmp

              Filesize

              7.7MB

            • memory/2484-68-0x00000000071E0000-0x00000000071E8000-memory.dmp

              Filesize

              32KB

            • memory/2484-66-0x00000000071B0000-0x00000000071C4000-memory.dmp

              Filesize

              80KB

            • memory/2484-9-0x00000000749F0000-0x00000000751A0000-memory.dmp

              Filesize

              7.7MB

            • memory/2484-65-0x0000000000690000-0x000000000069E000-memory.dmp

              Filesize

              56KB

            • memory/2484-12-0x0000000004560000-0x0000000004596000-memory.dmp

              Filesize

              216KB

            • memory/2484-13-0x00000000045A0000-0x00000000045B0000-memory.dmp

              Filesize

              64KB

            • memory/2484-14-0x0000000004BE0000-0x0000000005208000-memory.dmp

              Filesize

              6.2MB

            • memory/2484-16-0x00000000749F0000-0x00000000751A0000-memory.dmp

              Filesize

              7.7MB

            • memory/2484-18-0x00000000045A0000-0x00000000045B0000-memory.dmp

              Filesize

              64KB

            • memory/2484-19-0x0000000004B70000-0x0000000004B92000-memory.dmp

              Filesize

              136KB

            • memory/2484-20-0x0000000005380000-0x00000000053E6000-memory.dmp

              Filesize

              408KB

            • memory/2484-21-0x00000000054E0000-0x0000000005546000-memory.dmp

              Filesize

              408KB

            • memory/2484-64-0x00000000045A0000-0x00000000045B0000-memory.dmp

              Filesize

              64KB

            • memory/2484-27-0x0000000005590000-0x00000000058E4000-memory.dmp

              Filesize

              3.3MB

            • memory/2484-29-0x00000000045A0000-0x00000000045B0000-memory.dmp

              Filesize

              64KB

            • memory/2484-35-0x0000000005B50000-0x0000000005B6E000-memory.dmp

              Filesize

              120KB

            • memory/2484-36-0x0000000005C10000-0x0000000005C5C000-memory.dmp

              Filesize

              304KB

            • memory/2484-37-0x0000000006110000-0x0000000006154000-memory.dmp

              Filesize

              272KB

            • memory/2484-39-0x00000000045A0000-0x00000000045B0000-memory.dmp

              Filesize

              64KB

            • memory/2484-40-0x0000000006E50000-0x0000000006EC6000-memory.dmp

              Filesize

              472KB

            • memory/2484-41-0x0000000007550000-0x0000000007BCA000-memory.dmp

              Filesize

              6.5MB

            • memory/2484-42-0x0000000006EF0000-0x0000000006F0A000-memory.dmp

              Filesize

              104KB

            • memory/2484-61-0x0000000007290000-0x00000000072A1000-memory.dmp

              Filesize

              68KB

            • memory/2484-60-0x0000000007390000-0x0000000007426000-memory.dmp

              Filesize

              600KB

            • memory/2484-11-0x00000000045A0000-0x00000000045B0000-memory.dmp

              Filesize

              64KB

            • memory/2484-46-0x0000000070890000-0x00000000708DC000-memory.dmp

              Filesize

              304KB

            • memory/2484-47-0x0000000070FD0000-0x0000000071324000-memory.dmp

              Filesize

              3.3MB

            • memory/2484-57-0x00000000070A0000-0x00000000070BE000-memory.dmp

              Filesize

              120KB

            • memory/2484-58-0x0000000007100000-0x00000000071A3000-memory.dmp

              Filesize

              652KB

            • memory/2484-59-0x0000000007090000-0x000000000709A000-memory.dmp

              Filesize

              40KB

            • memory/3264-73-0x0000000000400000-0x0000000003009000-memory.dmp

              Filesize

              44.0MB

            • memory/3264-3-0x0000000000400000-0x0000000003009000-memory.dmp

              Filesize

              44.0MB

            • memory/3264-62-0x0000000000400000-0x0000000003009000-memory.dmp

              Filesize

              44.0MB

            • memory/3264-2-0x00000000051D0000-0x0000000005ABB000-memory.dmp

              Filesize

              8.9MB

            • memory/3264-1-0x0000000003430000-0x000000000382F000-memory.dmp

              Filesize

              4.0MB

            • memory/3264-7-0x00000000051D0000-0x0000000005ABB000-memory.dmp

              Filesize

              8.9MB

            • memory/3264-43-0x0000000000400000-0x0000000003009000-memory.dmp

              Filesize

              44.0MB

            • memory/3264-6-0x0000000003430000-0x000000000382F000-memory.dmp

              Filesize

              4.0MB

            • memory/3264-4-0x0000000000400000-0x0000000003009000-memory.dmp

              Filesize

              44.0MB

            • memory/3264-5-0x0000000000400000-0x0000000003009000-memory.dmp

              Filesize

              44.0MB

            • memory/4144-75-0x0000000003350000-0x000000000374D000-memory.dmp

              Filesize

              4.0MB

            • memory/4144-76-0x0000000000400000-0x0000000003009000-memory.dmp

              Filesize

              44.0MB

            • memory/4168-77-0x0000000074A90000-0x0000000075240000-memory.dmp

              Filesize

              7.7MB

            • memory/4168-79-0x0000000005130000-0x0000000005140000-memory.dmp

              Filesize

              64KB

            • memory/4168-78-0x0000000005130000-0x0000000005140000-memory.dmp

              Filesize

              64KB

            • memory/4168-85-0x0000000005DA0000-0x00000000060F4000-memory.dmp

              Filesize

              3.3MB

            • memory/4168-90-0x00000000068F0000-0x000000000693C000-memory.dmp

              Filesize

              304KB

            • memory/4168-91-0x0000000005130000-0x0000000005140000-memory.dmp

              Filesize

              64KB

            • memory/4168-92-0x0000000070990000-0x00000000709DC000-memory.dmp

              Filesize

              304KB

            • memory/4168-93-0x0000000071130000-0x0000000071484000-memory.dmp

              Filesize

              3.3MB

            • memory/4168-103-0x00000000075D0000-0x0000000007673000-memory.dmp

              Filesize

              652KB