Analysis
-
max time kernel
166s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
19-04-2024 04:25
General
-
Target
a900ca74985c0edd0495bf8159d96da33507c6acaca6db0c029c3292371ee278.exe
-
Size
4.2MB
-
MD5
b0b2914d25fa63f47afacdcda1381a84
-
SHA1
3c06980785c35705abd3ef7ca3eae643338ef0d3
-
SHA256
a900ca74985c0edd0495bf8159d96da33507c6acaca6db0c029c3292371ee278
-
SHA512
408a01afea7db4142d7d7215a45027cbc8c9387bd62cc9e34a553bce601ea0ed4de360124fc07b2e65dacd0d5309b895076831133f91d94d823f96210bf27dc2
-
SSDEEP
98304:MRUBmLZ3rmtSop/fcfKtwQG3TQtt4oKMJO6VS6U7CKzh7U:UxKEC/fcfKt9ykOWRUGoh7U
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 19 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a900ca74985c0edd0495bf8159d96da33507c6acaca6db0c029c3292371ee278.exe"C:\Users\Admin\AppData\Local\Temp\a900ca74985c0edd0495bf8159d96da33507c6acaca6db0c029c3292371ee278.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a900ca74985c0edd0495bf8159d96da33507c6acaca6db0c029c3292371ee278.exe"C:\Users\Admin\AppData\Local\Temp\a900ca74985c0edd0495bf8159d96da33507c6acaca6db0c029c3292371ee278.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 8603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 8042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2272 -ip 22721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2956 -ip 29561⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yo24uo1x.wit.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD50609a8cf3a393713122b2a385cdded8e
SHA13a3275d59ab29402658352446129c7d3af52f9df
SHA256002d0afb07ae16ee20015668036436708bcf23d249d074cae1fdcf35c675130c
SHA51236fdd1008b13a2e912540e3d882b37e1e0b3e19dd1523cee0d41750273a326f77c4f5b850c577253404208439019044576a939096f9567b88e26cefd490ec389
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD567bdea711a5a54be67699fc297476774
SHA15eee98ac957761922b5631d8720138c0f0c37f52
SHA256d75574cafd6c87d461b7b2dbd5e789295255009350eb728c9c709d9704fe461c
SHA512ea5cc23c5c6e1cd0865f80ff2cec9db2658e61369ab88c7f93ea3aebefd3726d4c672d832a7a68d636e3e90c7d5e6a32bc2eb1f98ea68da59638c1b9ca841f51
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD54a0e731ea7f302e7e1dc274feb3165e9
SHA1b7ac33647506ea4e4a697c20f4ed7380708ac79a
SHA256d05179e5c0863acda0b3ee2a1855c173a4a4ef2e0aeaad8a60c9987679e1c05a
SHA5124c373817d1acdb285fec8037201bccf81bcdcd345028f88ae5e009cf08982d635aed885d738f515ee0f11565f22a0fce3a0e5ba0c5b3919bb9768906b9284a7b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD527d3c105fce6a98f334e6d70d2cf124a
SHA13e94c080d84f4c751c5bc33c2048ea869000a7bd
SHA256126a444c967c37642a712768b189bfd1bac80864b0836db833918b96f1ce28b0
SHA512eaf1603896f084d7f6f43409d868370c99a898097d2dd33da2f2115edfea6fbd75fdd0a02308ea6e26543ba7f2c8dbe8872c3fa1b98165976a0c993d915b9de3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD511c1241e2a799a9ab6d32865f51bb8f3
SHA1f729c3817424768fe691a448ca1399102bae30b0
SHA2562ae86b5987750edc47fcd7957ba206c05f9c04d170798847cd3c28e82d975d17
SHA512bc49514117003cbcb06cb4fd597c70565f028ae2bfd0de819db9fae65d844e22ae953193507bcd7b0a0043bd9cc4e6f08f6bab2a7d477d3557ef216d7c999cf6
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD5b0b2914d25fa63f47afacdcda1381a84
SHA13c06980785c35705abd3ef7ca3eae643338ef0d3
SHA256a900ca74985c0edd0495bf8159d96da33507c6acaca6db0c029c3292371ee278
SHA512408a01afea7db4142d7d7215a45027cbc8c9387bd62cc9e34a553bce601ea0ed4de360124fc07b2e65dacd0d5309b895076831133f91d94d823f96210bf27dc2
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/1880-37-0x00000000708E0000-0x000000007092C000-memory.dmpFilesize
304KB
-
memory/1880-50-0x000000007F420000-0x000000007F430000-memory.dmpFilesize
64KB
-
memory/1880-13-0x0000000004F70000-0x0000000005598000-memory.dmpFilesize
6.2MB
-
memory/1880-14-0x0000000004B00000-0x0000000004B22000-memory.dmpFilesize
136KB
-
memory/1880-15-0x0000000004CA0000-0x0000000004D06000-memory.dmpFilesize
408KB
-
memory/1880-16-0x00000000055A0000-0x0000000005606000-memory.dmpFilesize
408KB
-
memory/1880-11-0x0000000002720000-0x0000000002730000-memory.dmpFilesize
64KB
-
memory/1880-22-0x0000000005610000-0x0000000005964000-memory.dmpFilesize
3.3MB
-
memory/1880-28-0x0000000005A90000-0x0000000005AAE000-memory.dmpFilesize
120KB
-
memory/1880-29-0x0000000006260000-0x00000000062AC000-memory.dmpFilesize
304KB
-
memory/1880-30-0x0000000006130000-0x0000000006174000-memory.dmpFilesize
272KB
-
memory/1880-31-0x0000000002720000-0x0000000002730000-memory.dmpFilesize
64KB
-
memory/1880-32-0x0000000006F20000-0x0000000006F96000-memory.dmpFilesize
472KB
-
memory/1880-33-0x0000000007680000-0x0000000007CFA000-memory.dmpFilesize
6.5MB
-
memory/1880-34-0x0000000007030000-0x000000000704A000-memory.dmpFilesize
104KB
-
memory/1880-36-0x0000000007200000-0x0000000007232000-memory.dmpFilesize
200KB
-
memory/1880-10-0x0000000074A40000-0x00000000751F0000-memory.dmpFilesize
7.7MB
-
memory/1880-38-0x0000000071060000-0x00000000713B4000-memory.dmpFilesize
3.3MB
-
memory/1880-48-0x00000000071E0000-0x00000000071FE000-memory.dmpFilesize
120KB
-
memory/1880-9-0x0000000002600000-0x0000000002636000-memory.dmpFilesize
216KB
-
memory/1880-49-0x0000000007240000-0x00000000072E3000-memory.dmpFilesize
652KB
-
memory/1880-12-0x0000000002720000-0x0000000002730000-memory.dmpFilesize
64KB
-
memory/1880-51-0x0000000007320000-0x000000000732A000-memory.dmpFilesize
40KB
-
memory/1880-52-0x0000000007450000-0x00000000074E6000-memory.dmpFilesize
600KB
-
memory/1880-53-0x0000000007350000-0x0000000007361000-memory.dmpFilesize
68KB
-
memory/1880-54-0x0000000074A40000-0x00000000751F0000-memory.dmpFilesize
7.7MB
-
memory/1880-57-0x0000000002720000-0x0000000002730000-memory.dmpFilesize
64KB
-
memory/1880-58-0x00000000073B0000-0x00000000073BE000-memory.dmpFilesize
56KB
-
memory/1880-59-0x00000000073C0000-0x00000000073D4000-memory.dmpFilesize
80KB
-
memory/1880-60-0x0000000007400000-0x000000000741A000-memory.dmpFilesize
104KB
-
memory/1880-61-0x00000000073F0000-0x00000000073F8000-memory.dmpFilesize
32KB
-
memory/1880-64-0x0000000074A40000-0x00000000751F0000-memory.dmpFilesize
7.7MB
-
memory/2272-1-0x0000000004EB0000-0x00000000052AC000-memory.dmpFilesize
4.0MB
-
memory/2272-66-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/2272-35-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/2272-8-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/2272-7-0x00000000052B0000-0x0000000005B9B000-memory.dmpFilesize
8.9MB
-
memory/2272-6-0x0000000004EB0000-0x00000000052AC000-memory.dmpFilesize
4.0MB
-
memory/2272-5-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/2272-4-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/2272-3-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/2272-2-0x00000000052B0000-0x0000000005B9B000-memory.dmpFilesize
8.9MB
-
memory/2472-281-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2956-68-0x00000000051A0000-0x0000000005A8B000-memory.dmpFilesize
8.9MB
-
memory/2956-108-0x0000000004D90000-0x0000000005197000-memory.dmpFilesize
4.0MB
-
memory/2956-85-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/2956-67-0x0000000004D90000-0x0000000005197000-memory.dmpFilesize
4.0MB
-
memory/2956-69-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/2956-170-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/2956-161-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/2956-120-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/3696-283-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3944-135-0x0000000074B20000-0x00000000752D0000-memory.dmpFilesize
7.7MB
-
memory/4396-123-0x0000000070B60000-0x0000000070EB4000-memory.dmpFilesize
3.3MB
-
memory/4396-107-0x0000000002B30000-0x0000000002B40000-memory.dmpFilesize
64KB
-
memory/4396-118-0x00000000061E0000-0x0000000006534000-memory.dmpFilesize
3.3MB
-
memory/4396-106-0x0000000002B30000-0x0000000002B40000-memory.dmpFilesize
64KB
-
memory/4396-121-0x0000000002B30000-0x0000000002B40000-memory.dmpFilesize
64KB
-
memory/4396-122-0x00000000709E0000-0x0000000070A2C000-memory.dmpFilesize
304KB
-
memory/4396-134-0x0000000074B20000-0x00000000752D0000-memory.dmpFilesize
7.7MB
-
memory/4396-105-0x0000000074B20000-0x00000000752D0000-memory.dmpFilesize
7.7MB
-
memory/4620-282-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/4620-279-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/4620-273-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/4620-265-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/4620-204-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/4808-103-0x0000000074B20000-0x00000000752D0000-memory.dmpFilesize
7.7MB
-
memory/4808-73-0x0000000005A00000-0x0000000005D54000-memory.dmpFilesize
3.3MB
-
memory/4808-83-0x0000000006110000-0x000000000615C000-memory.dmpFilesize
304KB
-
memory/4808-71-0x0000000002C90000-0x0000000002CA0000-memory.dmpFilesize
64KB
-
memory/4808-72-0x0000000002C90000-0x0000000002CA0000-memory.dmpFilesize
64KB
-
memory/4808-87-0x00000000711B0000-0x0000000071504000-memory.dmpFilesize
3.3MB
-
memory/4808-70-0x0000000074B20000-0x00000000752D0000-memory.dmpFilesize
7.7MB
-
memory/4808-84-0x0000000002C90000-0x0000000002CA0000-memory.dmpFilesize
64KB
-
memory/4808-100-0x0000000007650000-0x0000000007664000-memory.dmpFilesize
80KB
-
memory/4808-97-0x00000000072E0000-0x0000000007383000-memory.dmpFilesize
652KB
-
memory/4808-99-0x00000000075E0000-0x00000000075F1000-memory.dmpFilesize
68KB
-
memory/4808-86-0x00000000709E0000-0x0000000070A2C000-memory.dmpFilesize
304KB
-
memory/4808-98-0x000000007F290000-0x000000007F2A0000-memory.dmpFilesize
64KB