Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
19-04-2024 00:26
General
-
Target
88b1d7531704948104ee0ea36d4443d02d36d96e8a4434c93081de0f123a58ab.exe
-
Size
4.2MB
-
MD5
02cdd996089a264535ac9ec1d498991c
-
SHA1
7ba58a989c639fe86d591965f11b104c8ef2d388
-
SHA256
88b1d7531704948104ee0ea36d4443d02d36d96e8a4434c93081de0f123a58ab
-
SHA512
c87954ee12270726e658975b18e64e50886c0e253f30a9bf3ce7aa7aa2e4068cb57429f4021e32110297449511e7619e40fa2684eeec11d51d4b50fe1c5d27fe
-
SSDEEP
98304:ObvDuo/zvoC5HERRwr8YNEXJ0TS4JBXxT3BRfe7gLCxccCwfp3PGPzDBAeGjYAn:OnBoCproYNEXJ0O+Xpe7jrRPGnBARjfn
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 12 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\88b1d7531704948104ee0ea36d4443d02d36d96e8a4434c93081de0f123a58ab.exe"C:\Users\Admin\AppData\Local\Temp\88b1d7531704948104ee0ea36d4443d02d36d96e8a4434c93081de0f123a58ab.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\88b1d7531704948104ee0ea36d4443d02d36d96e8a4434c93081de0f123a58ab.exe"C:\Users\Admin\AppData\Local\Temp\88b1d7531704948104ee0ea36d4443d02d36d96e8a4434c93081de0f123a58ab.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 8803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 9122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1184 -ip 11841⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3952 -ip 39521⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xkbbjrpl.mjr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD58fb53816d844c0193ed9d1bab15a1dd3
SHA1b04ccb3bc44ccdeac0cd4d3e8d80f77ace463a02
SHA256f2af6d2cd95feb9f9eac56fab0d06c7c00e1c5d2a9894cfbc807056dcd250606
SHA512b6ce88c053e74de6367959c16bb57ddb7a3f389c2a25f33c4295824ccdea02c32b84d26cde2eaa100d8e8141b3199c9d063eaba8f72c1a885ba60d8b88cee31d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5d2725c8b235ff671e9f50549a06c2401
SHA10bc7199bf20bc946f907599a31a4ed97a41498f1
SHA256e4e8c6ccdc1e6aa668a0a865d0d6598c4289a4ecb4eb6ac20edcae6cf4af414c
SHA512a591f9251c337fcb086f413b01ce58f4806e630a88867123483ba13ed101e4e2a20d8a77f26f475372f4daf65cc9c829d48cd2bdb6c25f14765989c523491fbe
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5e8239a9a98193cd648f33dc679d8302a
SHA1c7f937fab1b602408bd3252ecbb6a52f11d75acc
SHA2563606aec4bd0d523836a34791d7f7f3a3c7f3a2da52edefbc67d352861f6e824e
SHA5123c6f784de5608233032c54a6c68eec752dd18822cafdc438f52009dda4ef48022331017186f321354313f7216b615a7586625ea666a88ef1feb2173870a54744
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5af42cb4fc1b34e352d3eb349fe0241e6
SHA17a580125f6eaf1c8ea52773ae36d27be90585ca3
SHA25681593a2ad0e42e9d39cd3ff9000ddabe3cfa3de9af3bb80470f5e8e8dbd70daf
SHA512e995dabe7d8412fab0bb0a113429d852ae9a128cce8910649e67541ec3035a2785c0cf877a532af13be4fe20df7754a15edf162a3b3c12081c8dc868e7fc2cdb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5faa3c280836f207d8b2c64b670c370fd
SHA1d764618b11ab3d731ff4a92d93124ef08e8ab7d9
SHA256a5ef6df362b7ffc559a39606bf0152dbd5adcbf769f3af699d2843e69e9e9aa2
SHA5129dcd5c2f9916b543951ab8bde12cf4a4c881b180d904e7236416420204aa6385279f614c96f457322b56342f34053517ad2c315fc17d6ece59e5b39d9c720461
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD502cdd996089a264535ac9ec1d498991c
SHA17ba58a989c639fe86d591965f11b104c8ef2d388
SHA25688b1d7531704948104ee0ea36d4443d02d36d96e8a4434c93081de0f123a58ab
SHA512c87954ee12270726e658975b18e64e50886c0e253f30a9bf3ce7aa7aa2e4068cb57429f4021e32110297449511e7619e40fa2684eeec11d51d4b50fe1c5d27fe
-
memory/648-137-0x0000000005610000-0x0000000005964000-memory.dmpFilesize
3.3MB
-
memory/648-145-0x0000000004880000-0x0000000004890000-memory.dmpFilesize
64KB
-
memory/648-144-0x00000000741E0000-0x0000000074990000-memory.dmpFilesize
7.7MB
-
memory/1184-13-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/1184-1-0x00000000034D0000-0x00000000038D4000-memory.dmpFilesize
4.0MB
-
memory/1184-4-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/1184-27-0x00000000034D0000-0x00000000038D4000-memory.dmpFilesize
4.0MB
-
memory/1184-3-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/1184-2-0x0000000005180000-0x0000000005A6B000-memory.dmpFilesize
8.9MB
-
memory/1184-30-0x0000000005180000-0x0000000005A6B000-memory.dmpFilesize
8.9MB
-
memory/1184-66-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2876-61-0x0000000005680000-0x0000000005690000-memory.dmpFilesize
64KB
-
memory/2876-31-0x0000000006F30000-0x0000000006F74000-memory.dmpFilesize
272KB
-
memory/2876-35-0x00000000083E0000-0x0000000008A5A000-memory.dmpFilesize
6.5MB
-
memory/2876-36-0x0000000007DA0000-0x0000000007DBA000-memory.dmpFilesize
104KB
-
memory/2876-37-0x0000000074140000-0x00000000748F0000-memory.dmpFilesize
7.7MB
-
memory/2876-39-0x0000000007F70000-0x0000000007FA2000-memory.dmpFilesize
200KB
-
memory/2876-38-0x000000007FCC0000-0x000000007FCD0000-memory.dmpFilesize
64KB
-
memory/2876-40-0x000000006FFE0000-0x000000007002C000-memory.dmpFilesize
304KB
-
memory/2876-41-0x0000000070160000-0x00000000704B4000-memory.dmpFilesize
3.3MB
-
memory/2876-51-0x0000000007F50000-0x0000000007F6E000-memory.dmpFilesize
120KB
-
memory/2876-52-0x0000000007FB0000-0x0000000008053000-memory.dmpFilesize
652KB
-
memory/2876-53-0x0000000008090000-0x000000000809A000-memory.dmpFilesize
40KB
-
memory/2876-54-0x0000000008150000-0x00000000081E6000-memory.dmpFilesize
600KB
-
memory/2876-55-0x00000000080B0000-0x00000000080C1000-memory.dmpFilesize
68KB
-
memory/2876-56-0x0000000005680000-0x0000000005690000-memory.dmpFilesize
64KB
-
memory/2876-57-0x00000000080F0000-0x00000000080FE000-memory.dmpFilesize
56KB
-
memory/2876-58-0x0000000008100000-0x0000000008114000-memory.dmpFilesize
80KB
-
memory/2876-59-0x00000000081F0000-0x000000000820A000-memory.dmpFilesize
104KB
-
memory/2876-60-0x0000000008140000-0x0000000008148000-memory.dmpFilesize
32KB
-
memory/2876-33-0x0000000007CD0000-0x0000000007D46000-memory.dmpFilesize
472KB
-
memory/2876-64-0x0000000074140000-0x00000000748F0000-memory.dmpFilesize
7.7MB
-
memory/2876-28-0x0000000006930000-0x000000000694E000-memory.dmpFilesize
120KB
-
memory/2876-34-0x0000000005680000-0x0000000005690000-memory.dmpFilesize
64KB
-
memory/2876-26-0x0000000006330000-0x0000000006684000-memory.dmpFilesize
3.3MB
-
memory/2876-8-0x0000000074140000-0x00000000748F0000-memory.dmpFilesize
7.7MB
-
memory/2876-9-0x0000000005680000-0x0000000005690000-memory.dmpFilesize
64KB
-
memory/2876-29-0x0000000006A30000-0x0000000006A7C000-memory.dmpFilesize
304KB
-
memory/2876-10-0x0000000003330000-0x0000000003366000-memory.dmpFilesize
216KB
-
memory/2876-16-0x0000000005AD0000-0x0000000005B36000-memory.dmpFilesize
408KB
-
memory/2876-11-0x0000000005680000-0x0000000005690000-memory.dmpFilesize
64KB
-
memory/2876-15-0x0000000005A60000-0x0000000005AC6000-memory.dmpFilesize
408KB
-
memory/2876-12-0x0000000005CC0000-0x00000000062E8000-memory.dmpFilesize
6.2MB
-
memory/2876-14-0x0000000005940000-0x0000000005962000-memory.dmpFilesize
136KB
-
memory/3952-164-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/3952-102-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/3952-143-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/3952-69-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/3952-68-0x00000000032F0000-0x00000000036F0000-memory.dmpFilesize
4.0MB
-
memory/3952-113-0x00000000032F0000-0x00000000036F0000-memory.dmpFilesize
4.0MB
-
memory/4008-196-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/4008-235-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/4188-119-0x000000007FDF0000-0x000000007FE00000-memory.dmpFilesize
64KB
-
memory/4188-110-0x0000000002C90000-0x0000000002CA0000-memory.dmpFilesize
64KB
-
memory/4188-112-0x0000000005BD0000-0x0000000005F24000-memory.dmpFilesize
3.3MB
-
memory/4188-118-0x00000000700E0000-0x000000007012C000-memory.dmpFilesize
304KB
-
memory/4188-120-0x0000000070290000-0x00000000705E4000-memory.dmpFilesize
3.3MB
-
memory/4188-131-0x00000000741E0000-0x0000000074990000-memory.dmpFilesize
7.7MB
-
memory/4188-111-0x0000000002C90000-0x0000000002CA0000-memory.dmpFilesize
64KB
-
memory/4188-103-0x00000000741E0000-0x0000000074990000-memory.dmpFilesize
7.7MB
-
memory/4268-100-0x00000000741E0000-0x0000000074990000-memory.dmpFilesize
7.7MB
-
memory/4268-97-0x0000000007240000-0x0000000007254000-memory.dmpFilesize
80KB
-
memory/4268-96-0x00000000071D0000-0x00000000071E1000-memory.dmpFilesize
68KB
-
memory/4268-95-0x0000000006EE0000-0x0000000006F83000-memory.dmpFilesize
652KB
-
memory/4268-85-0x00000000708A0000-0x0000000070BF4000-memory.dmpFilesize
3.3MB
-
memory/4268-84-0x00000000700E0000-0x000000007012C000-memory.dmpFilesize
304KB
-
memory/4268-83-0x0000000002830000-0x0000000002840000-memory.dmpFilesize
64KB
-
memory/4268-82-0x0000000005FF0000-0x000000000603C000-memory.dmpFilesize
304KB
-
memory/4268-73-0x0000000005660000-0x00000000059B4000-memory.dmpFilesize
3.3MB
-
memory/4268-71-0x0000000002830000-0x0000000002840000-memory.dmpFilesize
64KB
-
memory/4268-70-0x00000000741E0000-0x0000000074990000-memory.dmpFilesize
7.7MB