Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
19-04-2024 13:23
General
-
Target
a5501eb525e7f6fd6b734c1684b2003f8efe60382472575559df658c5e54975e.exe
-
Size
4.2MB
-
MD5
02827eb6bb7bed85ce569bf1b3697440
-
SHA1
7c8ef9b1fb7aa6bd25040da4fe529e48b7b118cc
-
SHA256
a5501eb525e7f6fd6b734c1684b2003f8efe60382472575559df658c5e54975e
-
SHA512
a903a0701d2d4b86bd035427b2f6247b03c665231f43862e8c9ad519f219505782ede81c4c24fe02518dfa5a6d61239f53800d30afa0246cea234ab9233dd7ab
-
SSDEEP
98304:GnK8LmfPd/8stvQd5ytt2zai81uhNveK9SmSQsZGchR1mW:l8qfPd/x65yttA81u3LZOh/b
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 19 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5501eb525e7f6fd6b734c1684b2003f8efe60382472575559df658c5e54975e.exe"C:\Users\Admin\AppData\Local\Temp\a5501eb525e7f6fd6b734c1684b2003f8efe60382472575559df658c5e54975e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a5501eb525e7f6fd6b734c1684b2003f8efe60382472575559df658c5e54975e.exe"C:\Users\Admin\AppData\Local\Temp\a5501eb525e7f6fd6b734c1684b2003f8efe60382472575559df658c5e54975e.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wxjciekx.5bo.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5b70bd310574f2f1c4d3512fe1aadfb4a
SHA18c4b02097d68ba9771bc718cefb436c2ba4d154e
SHA25670fc8ba89bd4d4a7938459307d7f81475254fcba6d9a939e6fddda12be1cad5e
SHA512e329ad5902243874d47baa22ccf1b0f4e67a6dccbdc11df06fa1881a094204677f46f77da11dec0b54e13b4281d27573151b603b1b1dc995d0a5068e1b440c93
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5bff62e14caa81dcc87db631d22578177
SHA1bcd63e888a55b4111811b186effba6117193b6a3
SHA256d126c70a1200b4bd8bfa9293052caf64be22a51f042bdca3bcef68d8a9fd5fdc
SHA5124a72d499d0069e780d7526c2e64db08ca99a72fd11aa79c6233f87d656b0e1aec11c2c59981331e694ecea02ecda0454f2650f1d204aec6d861d9c6645d27b6e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD508eef01d325e67b7d72f9f1b2a875183
SHA1f8c117abf66be05f6951c1d4dcb21a28ed9557df
SHA256b5a3f2202555ce07a1557f207a50304c4c5060e07b8e1f7df95aa3ec75a7dfb5
SHA5124bd37fcf4005cd8a3e035c6cdeb84e156002745b542516b4e0a0e76f69c79d0f9febb5db9cdb0d3d1b7506176ed04d074fab80db9b73fc53d2c01c876cb7c81b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD538832149efdc3fc81f130417ed7bc06d
SHA1ce9c5e9cdf8ad00ef872667a281ca37b85d669db
SHA256922cea171403455f2fd8176d4939667d8bf0b0c4ec89bc14fe6a8ac6ca501e29
SHA5129c912a891c002757652e16e18fab8b753937207405dda06bd921effbf1d2425f9d156119349048463d03c4a92c94f803cb528cd9755128e14351cf4e82d9d964
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD50b38fc94d7b541d60a421d9be519ae6f
SHA16b53d4eaa5c0a28cc57728bd9b93ad2e9389998d
SHA2564e1e6c93ce7801aea745e6567021e3159e51bdfecb2edac1ed79f6ffcf629b66
SHA5123ed818c1e1de8e1d6ff69c8638b5139b065a67850c428dfef26423cecb4b3477499f346ec6d16e5ae120df5a32347bfd6cc1e1dfc72329c87a515a94aad52aeb
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD502827eb6bb7bed85ce569bf1b3697440
SHA17c8ef9b1fb7aa6bd25040da4fe529e48b7b118cc
SHA256a5501eb525e7f6fd6b734c1684b2003f8efe60382472575559df658c5e54975e
SHA512a903a0701d2d4b86bd035427b2f6247b03c665231f43862e8c9ad519f219505782ede81c4c24fe02518dfa5a6d61239f53800d30afa0246cea234ab9233dd7ab
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/2160-100-0x0000000070EB0000-0x0000000070EFC000-memory.dmpFilesize
304KB
-
memory/2160-87-0x0000000074C40000-0x00000000753F1000-memory.dmpFilesize
7.7MB
-
memory/2160-113-0x0000000074C40000-0x00000000753F1000-memory.dmpFilesize
7.7MB
-
memory/2160-111-0x0000000005140000-0x0000000005150000-memory.dmpFilesize
64KB
-
memory/2160-110-0x000000007F340000-0x000000007F350000-memory.dmpFilesize
64KB
-
memory/2160-101-0x0000000071030000-0x0000000071387000-memory.dmpFilesize
3.3MB
-
memory/2160-89-0x0000000005140000-0x0000000005150000-memory.dmpFilesize
64KB
-
memory/2160-88-0x0000000005140000-0x0000000005150000-memory.dmpFilesize
64KB
-
memory/3080-114-0x0000000004EA0000-0x00000000052A8000-memory.dmpFilesize
4.0MB
-
memory/3080-55-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3080-52-0x0000000004EA0000-0x00000000052A8000-memory.dmpFilesize
4.0MB
-
memory/3080-137-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3080-146-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3116-116-0x0000000004EF0000-0x0000000004F00000-memory.dmpFilesize
64KB
-
memory/3116-128-0x0000000071030000-0x0000000071387000-memory.dmpFilesize
3.3MB
-
memory/3116-115-0x0000000074C40000-0x00000000753F1000-memory.dmpFilesize
7.7MB
-
memory/3116-117-0x0000000004EF0000-0x0000000004F00000-memory.dmpFilesize
64KB
-
memory/3116-138-0x000000007F1B0000-0x000000007F1C0000-memory.dmpFilesize
64KB
-
memory/3116-127-0x0000000070EB0000-0x0000000070EFC000-memory.dmpFilesize
304KB
-
memory/3184-260-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3184-255-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3632-278-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3632-273-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3632-264-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3632-267-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3632-285-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3632-242-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3632-261-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3632-281-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3632-257-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3632-252-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3632-254-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3632-270-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3632-276-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/3744-251-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4748-2-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/4748-1-0x0000000004FC0000-0x00000000053BB000-memory.dmpFilesize
4.0MB
-
memory/4748-54-0x0000000000400000-0x000000000311B000-memory.dmpFilesize
45.1MB
-
memory/4748-3-0x00000000053C0000-0x0000000005CAB000-memory.dmpFilesize
8.9MB
-
memory/4748-53-0x0000000004FC0000-0x00000000053BB000-memory.dmpFilesize
4.0MB
-
memory/4928-79-0x0000000000AE0000-0x0000000000AF0000-memory.dmpFilesize
64KB
-
memory/4928-85-0x0000000074C40000-0x00000000753F1000-memory.dmpFilesize
7.7MB
-
memory/4928-82-0x0000000007140000-0x0000000007155000-memory.dmpFilesize
84KB
-
memory/4928-81-0x00000000070F0000-0x0000000007101000-memory.dmpFilesize
68KB
-
memory/4928-80-0x0000000000AE0000-0x0000000000AF0000-memory.dmpFilesize
64KB
-
memory/4928-78-0x0000000006BC0000-0x0000000006C64000-memory.dmpFilesize
656KB
-
memory/4928-67-0x000000007FD70000-0x000000007FD80000-memory.dmpFilesize
64KB
-
memory/4928-69-0x0000000071040000-0x0000000071397000-memory.dmpFilesize
3.3MB
-
memory/4928-68-0x0000000070EB0000-0x0000000070EFC000-memory.dmpFilesize
304KB
-
memory/4928-66-0x0000000005660000-0x00000000059B7000-memory.dmpFilesize
3.3MB
-
memory/4928-56-0x0000000074C40000-0x00000000753F1000-memory.dmpFilesize
7.7MB
-
memory/4928-57-0x0000000000AE0000-0x0000000000AF0000-memory.dmpFilesize
64KB
-
memory/4984-50-0x0000000074C40000-0x00000000753F1000-memory.dmpFilesize
7.7MB
-
memory/4984-47-0x00000000073B0000-0x00000000073B8000-memory.dmpFilesize
32KB
-
memory/4984-46-0x0000000007390000-0x00000000073AA000-memory.dmpFilesize
104KB
-
memory/4984-45-0x0000000007340000-0x0000000007355000-memory.dmpFilesize
84KB
-
memory/4984-44-0x0000000007330000-0x000000000733E000-memory.dmpFilesize
56KB
-
memory/4984-43-0x00000000072E0000-0x00000000072F1000-memory.dmpFilesize
68KB
-
memory/4984-42-0x00000000073D0000-0x0000000007466000-memory.dmpFilesize
600KB
-
memory/4984-41-0x00000000072C0000-0x00000000072CA000-memory.dmpFilesize
40KB
-
memory/4984-40-0x0000000007280000-0x000000000729A000-memory.dmpFilesize
104KB
-
memory/4984-39-0x00000000078C0000-0x0000000007F3A000-memory.dmpFilesize
6.5MB
-
memory/4984-37-0x0000000007160000-0x0000000007204000-memory.dmpFilesize
656KB
-
memory/4984-38-0x0000000004820000-0x0000000004830000-memory.dmpFilesize
64KB
-
memory/4984-36-0x0000000007140000-0x000000000715E000-memory.dmpFilesize
120KB
-
memory/4984-27-0x0000000071030000-0x0000000071387000-memory.dmpFilesize
3.3MB
-
memory/4984-26-0x0000000070EB0000-0x0000000070EFC000-memory.dmpFilesize
304KB
-
memory/4984-24-0x0000000007100000-0x0000000007134000-memory.dmpFilesize
208KB
-
memory/4984-25-0x000000007FE20000-0x000000007FE30000-memory.dmpFilesize
64KB
-
memory/4984-23-0x0000000006280000-0x00000000062C6000-memory.dmpFilesize
280KB
-
memory/4984-22-0x0000000005D20000-0x0000000005D6C000-memory.dmpFilesize
304KB
-
memory/4984-21-0x0000000005CD0000-0x0000000005CEE000-memory.dmpFilesize
120KB
-
memory/4984-20-0x00000000057A0000-0x0000000005AF7000-memory.dmpFilesize
3.3MB
-
memory/4984-11-0x00000000055B0000-0x0000000005616000-memory.dmpFilesize
408KB
-
memory/4984-10-0x0000000005540000-0x00000000055A6000-memory.dmpFilesize
408KB
-
memory/4984-9-0x0000000004E10000-0x0000000004E32000-memory.dmpFilesize
136KB
-
memory/4984-6-0x0000000004820000-0x0000000004830000-memory.dmpFilesize
64KB
-
memory/4984-8-0x0000000004820000-0x0000000004830000-memory.dmpFilesize
64KB
-
memory/4984-7-0x0000000004EA0000-0x00000000054CA000-memory.dmpFilesize
6.2MB
-
memory/4984-4-0x0000000004830000-0x0000000004866000-memory.dmpFilesize
216KB
-
memory/4984-5-0x0000000074C40000-0x00000000753F1000-memory.dmpFilesize
7.7MB