Analysis

  • max time kernel
    147s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2024, 19:26

General

  • Target

    c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe

  • Size

    4.2MB

  • MD5

    a7c99d11e0a3f11864ee6b71bf2f4b08

  • SHA1

    c50f1b9ddaa06a55e0d6abba687d77a482bb2408

  • SHA256

    c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97

  • SHA512

    84bfb379a80980fb909b59a4e3a24e922b6d93647f61c77794e5ab09e1d6fcd95f70abf0e9f804742146f3176413aae54267c9bdf52023ab4c548a234c9fea60

  • SSDEEP

    98304:TtwUIgr6Tu/hivXD0fl0IvZVjhgp1+mYFjvUcmYnimsjZaHeF:Rw6rquKXDtU1Y2GYniVjUHw

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 13 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe
    "C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4640
    • C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe
      "C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe"
      2⤵
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4692
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3180
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:5096
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:548
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
          PID:4768
        • C:\Windows\rss\csrss.exe
          C:\Windows\rss\csrss.exe
          3⤵
            PID:2932
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              4⤵
                PID:3192
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                4⤵
                • Creates scheduled task(s)
                PID:1180
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /delete /tn ScheduledUpdate /f
                4⤵
                  PID:2120
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                    PID:1200
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4328 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
              1⤵
                PID:1140

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ly5mbek5.cag.ps1

                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                      Filesize

                      2KB

                      MD5

                      3d086a433708053f9bf9523e1d87a4e8

                      SHA1

                      b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                      SHA256

                      6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                      SHA512

                      931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                      Filesize

                      19KB

                      MD5

                      fe19d077d9758a1110ca6fb959381b2a

                      SHA1

                      a5067c7a312a8f5e1dcdf514c887c4bb95914453

                      SHA256

                      bee0f7c695a842f904eb670dd59145f80ae545adf0cd30fe7eb2faf22087b610

                      SHA512

                      78ce866f8404ea55a0dc2500cb2dd78ddfeb2d9a3b6d8c351d29a010903f36771cd39f1a30504d1de569b01ec788d2d1e346bb99040c3fe8da53c3e0e2d998f1

                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                      Filesize

                      19KB

                      MD5

                      9b8f8f2ca284ff2233b2b6b0535d8c54

                      SHA1

                      937401e7e12df621aeb121311d7b2844c1a66fc8

                      SHA256

                      176ff6aac4db9b0de175f95e1684f04a7e65821dd582c799e097bad1c0f9da8f

                      SHA512

                      08a48b98e9a0706541868a57dae715fd676faf94b6822e18101b744076c7d55cc64b4354e7a3832cd098ceaddcfcaf0792e17b8470ceaa7c1b9d0dc1d635627b

                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                      Filesize

                      19KB

                      MD5

                      0481eca8ee54e7189373c4416e433e4a

                      SHA1

                      6e5da27b5b7a6a292395360588b0f5034b21d66d

                      SHA256

                      6873738fb83dfc6be82dfe94e7883dae8a44fd51b394eab1b55530822b143818

                      SHA512

                      af7a61b34a2316d5bb8f31d388ccdfae6bb1ddf047005d5327915d09ecb1674b95194a5880afd498a91c1db7e852022cb4f0f846e4ec28cde90fcf71b5a43c00

                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                      Filesize

                      19KB

                      MD5

                      b89416c851d81b0349ad16367965b0a8

                      SHA1

                      602b54aa8610df4f999cc0712d9c3222e55c17da

                      SHA256

                      ea6bf4b296e8a80927371ab79e3a6c38991e0b50d7370a95801134f7a512b8cb

                      SHA512

                      aaad4c99dc5891ab8b4c90d936e58347e07a401ed423b89753ab735157efa172a7aaf5c74a1a3c4f230d39133b2a25e054ee1869b7893d11a9e2a2c76a592a7e

                    • C:\Windows\rss\csrss.exe

                      Filesize

                      4.2MB

                      MD5

                      a7c99d11e0a3f11864ee6b71bf2f4b08

                      SHA1

                      c50f1b9ddaa06a55e0d6abba687d77a482bb2408

                      SHA256

                      c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97

                      SHA512

                      84bfb379a80980fb909b59a4e3a24e922b6d93647f61c77794e5ab09e1d6fcd95f70abf0e9f804742146f3176413aae54267c9bdf52023ab4c548a234c9fea60

                    • memory/392-7-0x0000000000400000-0x0000000001E08000-memory.dmp

                      Filesize

                      26.0MB

                    • memory/392-8-0x0000000004170000-0x0000000004A5B000-memory.dmp

                      Filesize

                      8.9MB

                    • memory/392-55-0x0000000000400000-0x0000000001E08000-memory.dmp

                      Filesize

                      26.0MB

                    • memory/392-6-0x0000000003D60000-0x0000000004167000-memory.dmp

                      Filesize

                      4.0MB

                    • memory/392-101-0x0000000000400000-0x0000000001E08000-memory.dmp

                      Filesize

                      26.0MB

                    • memory/392-5-0x0000000000400000-0x0000000001E08000-memory.dmp

                      Filesize

                      26.0MB

                    • memory/392-39-0x0000000000400000-0x0000000001E08000-memory.dmp

                      Filesize

                      26.0MB

                    • memory/392-2-0x0000000004170000-0x0000000004A5B000-memory.dmp

                      Filesize

                      8.9MB

                    • memory/392-3-0x0000000000400000-0x0000000001E08000-memory.dmp

                      Filesize

                      26.0MB

                    • memory/392-4-0x0000000000400000-0x0000000001E08000-memory.dmp

                      Filesize

                      26.0MB

                    • memory/392-1-0x0000000003D60000-0x0000000004167000-memory.dmp

                      Filesize

                      4.0MB

                    • memory/548-127-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

                      Filesize

                      64KB

                    • memory/548-112-0x0000000074930000-0x00000000750E0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/548-128-0x00000000707D0000-0x000000007081C000-memory.dmp

                      Filesize

                      304KB

                    • memory/548-129-0x0000000070950000-0x0000000070CA4000-memory.dmp

                      Filesize

                      3.3MB

                    • memory/548-124-0x0000000005F70000-0x00000000062C4000-memory.dmp

                      Filesize

                      3.3MB

                    • memory/548-114-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

                      Filesize

                      64KB

                    • memory/548-113-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

                      Filesize

                      64KB

                    • memory/548-126-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

                      Filesize

                      64KB

                    • memory/548-140-0x0000000074930000-0x00000000750E0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/3480-141-0x0000000000400000-0x0000000001E08000-memory.dmp

                      Filesize

                      26.0MB

                    • memory/3480-107-0x0000000003C00000-0x0000000004001000-memory.dmp

                      Filesize

                      4.0MB

                    • memory/3480-106-0x0000000000400000-0x0000000001E08000-memory.dmp

                      Filesize

                      26.0MB

                    • memory/3480-174-0x0000000000400000-0x0000000001E08000-memory.dmp

                      Filesize

                      26.0MB

                    • memory/3480-73-0x0000000000400000-0x0000000001E08000-memory.dmp

                      Filesize

                      26.0MB

                    • memory/3480-72-0x0000000003C00000-0x0000000004001000-memory.dmp

                      Filesize

                      4.0MB

                    • memory/4640-31-0x0000000074930000-0x00000000750E0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/4640-42-0x00000000707D0000-0x000000007081C000-memory.dmp

                      Filesize

                      304KB

                    • memory/4640-56-0x00000000079B0000-0x00000000079BA000-memory.dmp

                      Filesize

                      40KB

                    • memory/4640-57-0x0000000005000000-0x0000000005010000-memory.dmp

                      Filesize

                      64KB

                    • memory/4640-59-0x0000000007BF0000-0x0000000007C86000-memory.dmp

                      Filesize

                      600KB

                    • memory/4640-60-0x0000000007B50000-0x0000000007B61000-memory.dmp

                      Filesize

                      68KB

                    • memory/4640-62-0x0000000007B70000-0x0000000007B7E000-memory.dmp

                      Filesize

                      56KB

                    • memory/4640-63-0x0000000007B80000-0x0000000007B94000-memory.dmp

                      Filesize

                      80KB

                    • memory/4640-65-0x000000007F4A0000-0x000000007F4B0000-memory.dmp

                      Filesize

                      64KB

                    • memory/4640-66-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

                      Filesize

                      104KB

                    • memory/4640-67-0x0000000007BC0000-0x0000000007BC8000-memory.dmp

                      Filesize

                      32KB

                    • memory/4640-70-0x0000000074930000-0x00000000750E0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/4640-53-0x00000000079C0000-0x00000000079DE000-memory.dmp

                      Filesize

                      120KB

                    • memory/4640-43-0x0000000070F70000-0x00000000712C4000-memory.dmp

                      Filesize

                      3.3MB

                    • memory/4640-9-0x0000000074930000-0x00000000750E0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/4640-10-0x0000000005000000-0x0000000005010000-memory.dmp

                      Filesize

                      64KB

                    • memory/4640-11-0x0000000002DC0000-0x0000000002DF6000-memory.dmp

                      Filesize

                      216KB

                    • memory/4640-12-0x0000000005000000-0x0000000005010000-memory.dmp

                      Filesize

                      64KB

                    • memory/4640-13-0x0000000005640000-0x0000000005C68000-memory.dmp

                      Filesize

                      6.2MB

                    • memory/4640-15-0x0000000005130000-0x0000000005152000-memory.dmp

                      Filesize

                      136KB

                    • memory/4640-16-0x0000000005540000-0x00000000055A6000-memory.dmp

                      Filesize

                      408KB

                    • memory/4640-17-0x0000000005C70000-0x0000000005CD6000-memory.dmp

                      Filesize

                      408KB

                    • memory/4640-23-0x0000000005CE0000-0x0000000006034000-memory.dmp

                      Filesize

                      3.3MB

                    • memory/4640-54-0x0000000007A20000-0x0000000007AC3000-memory.dmp

                      Filesize

                      652KB

                    • memory/4640-29-0x00000000063B0000-0x00000000063CE000-memory.dmp

                      Filesize

                      120KB

                    • memory/4640-30-0x0000000006490000-0x00000000064DC000-memory.dmp

                      Filesize

                      304KB

                    • memory/4640-41-0x00000000079E0000-0x0000000007A12000-memory.dmp

                      Filesize

                      200KB

                    • memory/4640-40-0x000000007F4A0000-0x000000007F4B0000-memory.dmp

                      Filesize

                      64KB

                    • memory/4640-38-0x00000000076F0000-0x000000000770A000-memory.dmp

                      Filesize

                      104KB

                    • memory/4640-37-0x0000000007E70000-0x00000000084EA000-memory.dmp

                      Filesize

                      6.5MB

                    • memory/4640-36-0x0000000007770000-0x00000000077E6000-memory.dmp

                      Filesize

                      472KB

                    • memory/4640-35-0x0000000005000000-0x0000000005010000-memory.dmp

                      Filesize

                      64KB

                    • memory/4640-34-0x0000000005000000-0x0000000005010000-memory.dmp

                      Filesize

                      64KB

                    • memory/4640-32-0x0000000006A20000-0x0000000006A64000-memory.dmp

                      Filesize

                      272KB

                    • memory/4692-83-0x0000000005BC0000-0x0000000005F14000-memory.dmp

                      Filesize

                      3.3MB

                    • memory/4692-102-0x00000000077C0000-0x00000000077D4000-memory.dmp

                      Filesize

                      80KB

                    • memory/4692-100-0x0000000007750000-0x0000000007761000-memory.dmp

                      Filesize

                      68KB

                    • memory/4692-99-0x0000000007450000-0x00000000074F3000-memory.dmp

                      Filesize

                      652KB

                    • memory/4692-89-0x0000000070F50000-0x00000000712A4000-memory.dmp

                      Filesize

                      3.3MB

                    • memory/4692-88-0x00000000707D0000-0x000000007081C000-memory.dmp

                      Filesize

                      304KB

                    • memory/4692-87-0x0000000004E60000-0x0000000004E70000-memory.dmp

                      Filesize

                      64KB

                    • memory/4692-105-0x0000000074930000-0x00000000750E0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/4692-76-0x0000000004E60000-0x0000000004E70000-memory.dmp

                      Filesize

                      64KB

                    • memory/4692-75-0x0000000004E60000-0x0000000004E70000-memory.dmp

                      Filesize

                      64KB

                    • memory/4692-74-0x0000000074930000-0x00000000750E0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/4768-142-0x0000000074930000-0x00000000750E0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/4768-143-0x00000000046F0000-0x0000000004700000-memory.dmp

                      Filesize

                      64KB