Analysis

  • max time kernel
    152s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2024, 19:26

General

  • Target

    0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe

  • Size

    4.2MB

  • MD5

    0865723cd92439d03cbc8f84d2f4adbd

  • SHA1

    9e6bc45a5748a51e2a835c64c7d1907e6122c533

  • SHA256

    0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa

  • SHA512

    375bfc107cc7e0fa7df3b051fcb466edc79f9a38dd03e7dda2793bcfd53a6954dc27837e519b0cedd35981f2a91ffafcab2ba2de43015c59b9a24b84c01f5bdf

  • SSDEEP

    98304:rtwUIgr6Tu/hivXD0fl0IvZVjhgp1+mYFjvUcmYnimsjZaHe8:5w6rquKXDtU1Y2GYniVjUHB

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 13 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe
    "C:\Users\Admin\AppData\Local\Temp\0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2304
    • C:\Users\Admin\AppData\Local\Temp\0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe
      "C:\Users\Admin\AppData\Local\Temp\0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa.exe"
      2⤵
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3888
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1372
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:884
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3612
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4920
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
          PID:228
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
              PID:1804
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 860
          2⤵
          • Program crash
          PID:2044
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4560
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4836 -ip 4836
          1⤵
            PID:3688

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_maqkhivi.pd2.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                  Filesize

                  2KB

                  MD5

                  968cb9309758126772781b83adb8a28f

                  SHA1

                  8da30e71accf186b2ba11da1797cf67f8f78b47c

                  SHA256

                  92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                  SHA512

                  4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                  Filesize

                  19KB

                  MD5

                  2f00a912cb13e3d5cdfef5aecd824069

                  SHA1

                  77eb1f2730d127087e61b7bb88be2827ff8b24a3

                  SHA256

                  ffd2b0aeb2eb88ac296eb574dd96c4edaa95f6a7a83ffcf30002ee8a244a37e6

                  SHA512

                  1b88416f3fa4ebe180466973136369bc503dabde1155bc936b30508c2b749664529ca2927a8d076cd5a8d311d1b55b7e08c2cd57df29760e246345eb2c7b3e8c

                • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                  Filesize

                  19KB

                  MD5

                  3d96daf9d73dde4648550d28ed53430b

                  SHA1

                  8354246d93aa7ac911be747f987e5045c94d40de

                  SHA256

                  652f8e477c42ce50a268d9fcc37aa43845b0e40d887590bd30005903da61bd9d

                  SHA512

                  8f8e401d45ee9735984fff4f67e66a8788783301e9a7a3b0fff7b9a0927aea9f93ae8ea9ac810e8bc6071ab15925cd134b7296ee0b6dd0911fd6a0c85c453d74

                • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                  Filesize

                  19KB

                  MD5

                  6f90b544cb3540317ce5e62e470c4917

                  SHA1

                  b31820eb0082e46a639446afd9995f6f33d83cd2

                  SHA256

                  5c09414f9e595377785524a0962c9a7c4da1ad8207d670528169325a89395726

                  SHA512

                  261e2610199deb0b3075516d9345bfef9ece063e1d43668c893e4025a57e8432a24b09a384d625b75070d509004429335a737f9665f22a2a844cb269a6fc59b0

                • C:\Windows\rss\csrss.exe

                  Filesize

                  4.2MB

                  MD5

                  0865723cd92439d03cbc8f84d2f4adbd

                  SHA1

                  9e6bc45a5748a51e2a835c64c7d1907e6122c533

                  SHA256

                  0822ebcb95f3b3df8c8c9f84acbbaa453ce03390257de1e8f10164efa57d91fa

                  SHA512

                  375bfc107cc7e0fa7df3b051fcb466edc79f9a38dd03e7dda2793bcfd53a6954dc27837e519b0cedd35981f2a91ffafcab2ba2de43015c59b9a24b84c01f5bdf

                • memory/2304-61-0x0000000007D90000-0x0000000007DA1000-memory.dmp

                  Filesize

                  68KB

                • memory/2304-63-0x0000000007DC0000-0x0000000007DCE000-memory.dmp

                  Filesize

                  56KB

                • memory/2304-15-0x00000000055A0000-0x0000000005606000-memory.dmp

                  Filesize

                  408KB

                • memory/2304-16-0x0000000005610000-0x0000000005676000-memory.dmp

                  Filesize

                  408KB

                • memory/2304-11-0x0000000005000000-0x0000000005010000-memory.dmp

                  Filesize

                  64KB

                • memory/2304-23-0x0000000005DF0000-0x0000000006144000-memory.dmp

                  Filesize

                  3.3MB

                • memory/2304-28-0x0000000006600000-0x000000000661E000-memory.dmp

                  Filesize

                  120KB

                • memory/2304-29-0x00000000066E0000-0x000000000672C000-memory.dmp

                  Filesize

                  304KB

                • memory/2304-64-0x0000000007DD0000-0x0000000007DE4000-memory.dmp

                  Filesize

                  80KB

                • memory/2304-32-0x0000000006B60000-0x0000000006BA4000-memory.dmp

                  Filesize

                  272KB

                • memory/2304-33-0x0000000005000000-0x0000000005010000-memory.dmp

                  Filesize

                  64KB

                • memory/2304-34-0x0000000005000000-0x0000000005010000-memory.dmp

                  Filesize

                  64KB

                • memory/2304-35-0x0000000005000000-0x0000000005010000-memory.dmp

                  Filesize

                  64KB

                • memory/2304-36-0x0000000007720000-0x0000000007796000-memory.dmp

                  Filesize

                  472KB

                • memory/2304-12-0x0000000005050000-0x0000000005086000-memory.dmp

                  Filesize

                  216KB

                • memory/2304-13-0x00000000056C0000-0x0000000005CE8000-memory.dmp

                  Filesize

                  6.2MB

                • memory/2304-14-0x0000000005360000-0x0000000005382000-memory.dmp

                  Filesize

                  136KB

                • memory/2304-65-0x0000000007E10000-0x0000000007E2A000-memory.dmp

                  Filesize

                  104KB

                • memory/2304-43-0x0000000070C90000-0x0000000070CDC000-memory.dmp

                  Filesize

                  304KB

                • memory/2304-69-0x0000000074DF0000-0x00000000755A0000-memory.dmp

                  Filesize

                  7.7MB

                • memory/2304-38-0x0000000008020000-0x000000000869A000-memory.dmp

                  Filesize

                  6.5MB

                • memory/2304-39-0x00000000076C0000-0x00000000076DA000-memory.dmp

                  Filesize

                  104KB

                • memory/2304-31-0x0000000074DF0000-0x00000000755A0000-memory.dmp

                  Filesize

                  7.7MB

                • memory/2304-41-0x000000007F1D0000-0x000000007F1E0000-memory.dmp

                  Filesize

                  64KB

                • memory/2304-42-0x0000000007C20000-0x0000000007C52000-memory.dmp

                  Filesize

                  200KB

                • memory/2304-66-0x0000000007E00000-0x0000000007E08000-memory.dmp

                  Filesize

                  32KB

                • memory/2304-44-0x0000000071430000-0x0000000071784000-memory.dmp

                  Filesize

                  3.3MB

                • memory/2304-54-0x0000000007C00000-0x0000000007C1E000-memory.dmp

                  Filesize

                  120KB

                • memory/2304-55-0x0000000007C60000-0x0000000007D03000-memory.dmp

                  Filesize

                  652KB

                • memory/2304-56-0x0000000007B50000-0x0000000007B5A000-memory.dmp

                  Filesize

                  40KB

                • memory/2304-58-0x0000000005000000-0x0000000005010000-memory.dmp

                  Filesize

                  64KB

                • memory/2304-60-0x0000000007EB0000-0x0000000007F46000-memory.dmp

                  Filesize

                  600KB

                • memory/2304-9-0x0000000074DF0000-0x00000000755A0000-memory.dmp

                  Filesize

                  7.7MB

                • memory/2824-106-0x0000000074DF0000-0x00000000755A0000-memory.dmp

                  Filesize

                  7.7MB

                • memory/2824-88-0x0000000006980000-0x00000000069CC000-memory.dmp

                  Filesize

                  304KB

                • memory/2824-103-0x0000000007C10000-0x0000000007C24000-memory.dmp

                  Filesize

                  80KB

                • memory/2824-102-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

                  Filesize

                  68KB

                • memory/2824-101-0x00000000078A0000-0x0000000007943000-memory.dmp

                  Filesize

                  652KB

                • memory/2824-91-0x0000000071530000-0x0000000071884000-memory.dmp

                  Filesize

                  3.3MB

                • memory/2824-90-0x0000000070D90000-0x0000000070DDC000-memory.dmp

                  Filesize

                  304KB

                • memory/2824-89-0x0000000005310000-0x0000000005320000-memory.dmp

                  Filesize

                  64KB

                • memory/2824-76-0x0000000005310000-0x0000000005320000-memory.dmp

                  Filesize

                  64KB

                • memory/2824-75-0x0000000074DF0000-0x00000000755A0000-memory.dmp

                  Filesize

                  7.7MB

                • memory/2824-77-0x0000000005310000-0x0000000005320000-memory.dmp

                  Filesize

                  64KB

                • memory/2824-79-0x0000000006060000-0x00000000063B4000-memory.dmp

                  Filesize

                  3.3MB

                • memory/3612-125-0x000000007F7B0000-0x000000007F7C0000-memory.dmp

                  Filesize

                  64KB

                • memory/3612-111-0x0000000074DF0000-0x00000000755A0000-memory.dmp

                  Filesize

                  7.7MB

                • memory/3612-139-0x0000000074DF0000-0x00000000755A0000-memory.dmp

                  Filesize

                  7.7MB

                • memory/3612-127-0x0000000071530000-0x0000000071884000-memory.dmp

                  Filesize

                  3.3MB

                • memory/3612-126-0x0000000070D90000-0x0000000070DDC000-memory.dmp

                  Filesize

                  304KB

                • memory/3612-124-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

                  Filesize

                  64KB

                • memory/3612-113-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

                  Filesize

                  64KB

                • memory/3612-112-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

                  Filesize

                  64KB

                • memory/3888-137-0x0000000000400000-0x0000000001E08000-memory.dmp

                  Filesize

                  26.0MB

                • memory/3888-108-0x0000000003CA0000-0x00000000040A1000-memory.dmp

                  Filesize

                  4.0MB

                • memory/3888-171-0x0000000000400000-0x0000000001E08000-memory.dmp

                  Filesize

                  26.0MB

                • memory/3888-107-0x0000000000400000-0x0000000001E08000-memory.dmp

                  Filesize

                  26.0MB

                • memory/3888-73-0x0000000003CA0000-0x00000000040A1000-memory.dmp

                  Filesize

                  4.0MB

                • memory/3888-74-0x0000000000400000-0x0000000001E08000-memory.dmp

                  Filesize

                  26.0MB

                • memory/4836-7-0x0000000003EE0000-0x00000000047CB000-memory.dmp

                  Filesize

                  8.9MB

                • memory/4836-8-0x0000000000400000-0x0000000001E08000-memory.dmp

                  Filesize

                  26.0MB

                • memory/4836-40-0x0000000000400000-0x0000000001E08000-memory.dmp

                  Filesize

                  26.0MB

                • memory/4836-6-0x0000000003AD0000-0x0000000003ED2000-memory.dmp

                  Filesize

                  4.0MB

                • memory/4836-71-0x0000000000400000-0x0000000001E08000-memory.dmp

                  Filesize

                  26.0MB

                • memory/4836-37-0x0000000000400000-0x0000000001E08000-memory.dmp

                  Filesize

                  26.0MB

                • memory/4836-3-0x0000000000400000-0x0000000001E08000-memory.dmp

                  Filesize

                  26.0MB

                • memory/4836-5-0x0000000000400000-0x0000000001E08000-memory.dmp

                  Filesize

                  26.0MB

                • memory/4836-4-0x0000000000400000-0x0000000001E08000-memory.dmp

                  Filesize

                  26.0MB

                • memory/4836-1-0x0000000003AD0000-0x0000000003ED2000-memory.dmp

                  Filesize

                  4.0MB

                • memory/4836-2-0x0000000003EE0000-0x00000000047CB000-memory.dmp

                  Filesize

                  8.9MB

                • memory/4920-140-0x0000000074DF0000-0x00000000755A0000-memory.dmp

                  Filesize

                  7.7MB

                • memory/4920-141-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

                  Filesize

                  64KB