Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
19-04-2024 04:41
General
-
Target
afea1c4dc4a49b133d0a637b909a25edee71b470251062656f3df2b66277fa0b.exe
-
Size
4.2MB
-
MD5
cad494afb75393a5e4b30b40a976f252
-
SHA1
e985b2e58ad7684b77b46414a669eba5c23c6c53
-
SHA256
afea1c4dc4a49b133d0a637b909a25edee71b470251062656f3df2b66277fa0b
-
SHA512
1dde63020035a6fe9f4b46cca810b858b0daed0a5bd131df23302c4e65a46f985a419fabc4063d1ae7f83655a8b26e3e65b1abe38e26b786c2122980d0f91842
-
SSDEEP
98304:8RUBmLZ3rmtSop/fcfKtwQG3TQtt4oKMJO6VS6U7CKzh7K:kxKEC/fcfKt9ykOWRUGoh7K
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 20 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\afea1c4dc4a49b133d0a637b909a25edee71b470251062656f3df2b66277fa0b.exe"C:\Users\Admin\AppData\Local\Temp\afea1c4dc4a49b133d0a637b909a25edee71b470251062656f3df2b66277fa0b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\afea1c4dc4a49b133d0a637b909a25edee71b470251062656f3df2b66277fa0b.exe"C:\Users\Admin\AppData\Local\Temp\afea1c4dc4a49b133d0a637b909a25edee71b470251062656f3df2b66277fa0b.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 9162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3356 -ip 33561⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1perrhqh.ten.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5468e2c0c48752cfdd5c5ecde1f520a98
SHA1761d3122b3db621f08e95bb98d9d4e0545f0cea5
SHA256f9b886ed61435426fd6bdc343e089de4482330115318b0e1c629ba7ea857cca5
SHA5123c5415f6adea67b8c9dbd32c06a9c65000f6dbca9443a4640936f2edfe7e6f657533564da4acd6ad00863489478a1cc34bf5d9583fa6059986575016f7d8acc4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD55222cd19b1c959de34bcd1643fb0c602
SHA1cadfc74ccd5fde3fb5f584edfa1cf2112ca2d8ff
SHA256ea683b4eb26facc4f3292cac28a2043a715d0bf747cb48f982ff5468fd05baa1
SHA512e62263275a1973033e80fa8664928ec3af1bba0f577400865c52acaa34d8cede03eb65747aa12a49f98675bc51b3cde10b29e6211ff35df9f18174e33e28ab00
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD588ee5b40649c53db6922f2719af77dd3
SHA1a5e2ccb9406ddc96533d857651f7bb899061e869
SHA256b4c5e07c2e6969f8fa80c03ed2d38913367527dcadfcf76dcf8b98f7167aa173
SHA512e6aa8e5221e67d8eb5079af7e89ebf6bac2619b7bbc59334f7045a49c26e9f6196e818682c1c5d618d07238ec4bb5c28f4bcaef059ce13939e148d5d5c81d04e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5a37c2732ea861d1cf5d147720beb3da3
SHA1b71aa89d3ae72f5d5e1e45419fa91e39acb78fc0
SHA2566809308776d16cdaa18db5d2facdae97711053c1a70da38ddc5f1bd2fdecbec6
SHA5122887beddcc12ae41681f0a2b521d433ad649b5e1470d67ef36bf88cfee3e594edd003be17ab5965dcbaf293923bcb1da6852697a85a9475788cc9b1737e9a90a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5f54a3f7e36d0a08eb760efaf18b820cd
SHA142e1de58fed3e17b290fc84edb5df4ef5ef782ce
SHA256827fad45264b921893d25448bf2ece64e3058a5c7e5181c875b7b9a90e704980
SHA51204bbe512524379e43e74b988cdb83b1c0665b8b73bb3a5116819bd53ccbf48e6e5fcb67e176fc13801cab71179919489fb1194c4fee17816b44ac14ec747b7d3
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD5cad494afb75393a5e4b30b40a976f252
SHA1e985b2e58ad7684b77b46414a669eba5c23c6c53
SHA256afea1c4dc4a49b133d0a637b909a25edee71b470251062656f3df2b66277fa0b
SHA5121dde63020035a6fe9f4b46cca810b858b0daed0a5bd131df23302c4e65a46f985a419fabc4063d1ae7f83655a8b26e3e65b1abe38e26b786c2122980d0f91842
-
memory/396-249-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1204-241-0x0000000074950000-0x0000000074961000-memory.dmpFilesize
68KB
-
memory/1204-310-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1204-346-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1204-262-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1204-251-0x00000000749E0000-0x0000000074A21000-memory.dmpFilesize
260KB
-
memory/1204-257-0x00000000748B0000-0x00000000748F1000-memory.dmpFilesize
260KB
-
memory/1204-250-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1204-298-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1204-394-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1204-237-0x00000000749E0000-0x0000000074A21000-memory.dmpFilesize
260KB
-
memory/1204-236-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1204-286-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1204-358-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1204-274-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1204-334-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1204-322-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1204-376-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1676-117-0x0000000002B10000-0x0000000002B20000-memory.dmpFilesize
64KB
-
memory/1676-118-0x0000000002B10000-0x0000000002B20000-memory.dmpFilesize
64KB
-
memory/1676-116-0x0000000074140000-0x00000000748F1000-memory.dmpFilesize
7.7MB
-
memory/1676-128-0x00000000058C0000-0x0000000005C17000-memory.dmpFilesize
3.3MB
-
memory/2860-57-0x0000000002B50000-0x0000000002B60000-memory.dmpFilesize
64KB
-
memory/2860-87-0x0000000074140000-0x00000000748F1000-memory.dmpFilesize
7.7MB
-
memory/2860-84-0x0000000007600000-0x0000000007615000-memory.dmpFilesize
84KB
-
memory/2860-83-0x00000000075B0000-0x00000000075C1000-memory.dmpFilesize
68KB
-
memory/2860-69-0x000000007F070000-0x000000007F080000-memory.dmpFilesize
64KB
-
memory/2860-82-0x0000000002B50000-0x0000000002B60000-memory.dmpFilesize
64KB
-
memory/2860-80-0x00000000072B0000-0x0000000007354000-memory.dmpFilesize
656KB
-
memory/2860-58-0x0000000002B50000-0x0000000002B60000-memory.dmpFilesize
64KB
-
memory/2860-70-0x0000000070420000-0x000000007046C000-memory.dmpFilesize
304KB
-
memory/2860-56-0x0000000074140000-0x00000000748F1000-memory.dmpFilesize
7.7MB
-
memory/2860-59-0x0000000005B60000-0x0000000005EB7000-memory.dmpFilesize
3.3MB
-
memory/2860-68-0x0000000006580000-0x00000000065CC000-memory.dmpFilesize
304KB
-
memory/2860-71-0x0000000070670000-0x00000000709C7000-memory.dmpFilesize
3.3MB
-
memory/2860-81-0x0000000002B50000-0x0000000002B60000-memory.dmpFilesize
64KB
-
memory/3116-130-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/3116-119-0x0000000004EA0000-0x000000000529A000-memory.dmpFilesize
4.0MB
-
memory/3116-53-0x0000000004EA0000-0x000000000529A000-memory.dmpFilesize
4.0MB
-
memory/3116-148-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/3116-55-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/3356-54-0x0000000005350000-0x0000000005C3B000-memory.dmpFilesize
8.9MB
-
memory/3356-52-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/3356-2-0x0000000005350000-0x0000000005C3B000-memory.dmpFilesize
8.9MB
-
memory/3356-3-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/3356-1-0x0000000004F50000-0x000000000534B000-memory.dmpFilesize
4.0MB
-
memory/4004-285-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4004-261-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4520-40-0x0000000007570000-0x000000000758A000-memory.dmpFilesize
104KB
-
memory/4520-27-0x0000000070490000-0x00000000707E7000-memory.dmpFilesize
3.3MB
-
memory/4520-50-0x00000000740A0000-0x0000000074851000-memory.dmpFilesize
7.7MB
-
memory/4520-47-0x00000000076A0000-0x00000000076A8000-memory.dmpFilesize
32KB
-
memory/4520-4-0x0000000002AD0000-0x0000000002B06000-memory.dmpFilesize
216KB
-
memory/4520-6-0x0000000002B30000-0x0000000002B40000-memory.dmpFilesize
64KB
-
memory/4520-44-0x0000000007620000-0x000000000762E000-memory.dmpFilesize
56KB
-
memory/4520-43-0x00000000075D0000-0x00000000075E1000-memory.dmpFilesize
68KB
-
memory/4520-42-0x00000000076C0000-0x0000000007756000-memory.dmpFilesize
600KB
-
memory/4520-45-0x0000000007630000-0x0000000007645000-memory.dmpFilesize
84KB
-
memory/4520-41-0x00000000075B0000-0x00000000075BA000-memory.dmpFilesize
40KB
-
memory/4520-39-0x0000000007BB0000-0x000000000822A000-memory.dmpFilesize
6.5MB
-
memory/4520-5-0x00000000740A0000-0x0000000074851000-memory.dmpFilesize
7.7MB
-
memory/4520-8-0x00000000052B0000-0x00000000058DA000-memory.dmpFilesize
6.2MB
-
memory/4520-7-0x0000000002B30000-0x0000000002B40000-memory.dmpFilesize
64KB
-
memory/4520-24-0x000000007F8B0000-0x000000007F8C0000-memory.dmpFilesize
64KB
-
memory/4520-37-0x0000000007440000-0x00000000074E4000-memory.dmpFilesize
656KB
-
memory/4520-38-0x0000000002B30000-0x0000000002B40000-memory.dmpFilesize
64KB
-
memory/4520-36-0x0000000007420000-0x000000000743E000-memory.dmpFilesize
120KB
-
memory/4520-9-0x00000000050F0000-0x0000000005112000-memory.dmpFilesize
136KB
-
memory/4520-25-0x00000000073E0000-0x0000000007414000-memory.dmpFilesize
208KB
-
memory/4520-26-0x0000000070310000-0x000000007035C000-memory.dmpFilesize
304KB
-
memory/4520-23-0x0000000006F90000-0x0000000006FD6000-memory.dmpFilesize
280KB
-
memory/4520-22-0x0000000006050000-0x000000000609C000-memory.dmpFilesize
304KB
-
memory/4520-21-0x0000000005FA0000-0x0000000005FBE000-memory.dmpFilesize
120KB
-
memory/4520-10-0x00000000058E0000-0x0000000005946000-memory.dmpFilesize
408KB
-
memory/4520-20-0x0000000005A80000-0x0000000005DD7000-memory.dmpFilesize
3.3MB
-
memory/4520-11-0x0000000005950000-0x00000000059B6000-memory.dmpFilesize
408KB
-
memory/4520-46-0x0000000007680000-0x000000000769A000-memory.dmpFilesize
104KB
-
memory/4996-89-0x0000000074140000-0x00000000748F1000-memory.dmpFilesize
7.7MB
-
memory/4996-102-0x000000007EEF0000-0x000000007EF00000-memory.dmpFilesize
64KB
-
memory/4996-90-0x0000000005590000-0x00000000055A0000-memory.dmpFilesize
64KB
-
memory/4996-91-0x0000000006270000-0x00000000065C7000-memory.dmpFilesize
3.3MB
-
memory/4996-97-0x0000000005590000-0x00000000055A0000-memory.dmpFilesize
64KB
-
memory/4996-115-0x0000000074140000-0x00000000748F1000-memory.dmpFilesize
7.7MB
-
memory/4996-113-0x0000000005590000-0x00000000055A0000-memory.dmpFilesize
64KB
-
memory/4996-103-0x0000000070420000-0x000000007046C000-memory.dmpFilesize
304KB
-
memory/4996-104-0x0000000070DD0000-0x0000000071127000-memory.dmpFilesize
3.3MB