Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
19-04-2024 20:03
General
-
Target
843b947c53c5c2af2469d0ca781468870c0064b2225b4fdecc11e6cc24951ec8.exe
-
Size
4.2MB
-
MD5
1c55bf2921a2794845b046dd317ab941
-
SHA1
558f6c725d67c19fd115e181d558a61deb5e62c3
-
SHA256
843b947c53c5c2af2469d0ca781468870c0064b2225b4fdecc11e6cc24951ec8
-
SHA512
aa72e9ae7b77994b42f7d82eee00ca1bbfb8522597bd226c4cee3438d904fb673b6e89348e366e5a86aa452dad38d1f5b64a14bbda01f5fdb1c7459d0825746b
-
SSDEEP
98304:p00QK3N3Jc8wpX9Ml+P+WnP01raAvqFLRTemOJzdkXGp:rpJcNpX++PyaASVpB6k4
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 19 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\843b947c53c5c2af2469d0ca781468870c0064b2225b4fdecc11e6cc24951ec8.exe"C:\Users\Admin\AppData\Local\Temp\843b947c53c5c2af2469d0ca781468870c0064b2225b4fdecc11e6cc24951ec8.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\843b947c53c5c2af2469d0ca781468870c0064b2225b4fdecc11e6cc24951ec8.exe"C:\Users\Admin\AppData\Local\Temp\843b947c53c5c2af2469d0ca781468870c0064b2225b4fdecc11e6cc24951ec8.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 6763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 9722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1300 -ip 13001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4652 -ip 46521⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pkj3dtwe.w2d.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD51fed82c4af93eed919a8ac958f018f1c
SHA14a9afe348340016c0436bd38b0e725e78a40a151
SHA256ef1db35cdeb8eaea9eccbcce025b5452d1ab747d4821726e791b54b8b5a5eea9
SHA5121e495c00fa73329022ac287c3fbabd79fd33bfb46966fb71eefe309821cab10b75593db1aa53ea50ad8041e0dd3bae8b25bfe993bb14c7110fc67026b0b929a0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD538f9a347b98fa03a6b3d166cc1be8a18
SHA1d7c28f09a53967f7dc5eecff1f92b07e05a8f5ea
SHA256cb41ba07a067dc2f7852ddea073f3f5b9ffb6284443ed45a68de9613a887dff8
SHA51293a54481f87484a1d26c238acc3b97c48965a1e98462b2d4486ad8ca610244375a1cc286b6564109e71ef0786a34dabba937d2bfb6f08e1ff50f2e23be99eaab
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD58572c9cbc43b0fedb31b74dcea57ca67
SHA141f55cd5c2dfaff2f81df8a222c1f1ac98eeb740
SHA256568256e523db5b9e691a25fb725a5d36d93acdec3fa893eced5a74d18c3c84c8
SHA51223d26ec2de687b99f8cf24346f6eb01cd1137a6b7805fcc662fb240674e33d6fe505efb89949d0c071f52f8638ad42610a376924c3841098e8cfd4f22fe3523a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5fe457388dc1a294789cebc97c8e13100
SHA1574d46edb370a18eb20cc61aff894a0fff6390ac
SHA256bd86d4c245649cbbb134d0a3103e164dc1b35557489000e4c184c510c47f2f9d
SHA512150c57737fa9de84791421cb2869aeae25e80a8072b5d10d5d00607cbfec71aa0dfcc3b03babe92e61e2cf411717979fefd40d5ef0342a13b62ee62916176225
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD563997d7721e457cf665674ac11913ad1
SHA1f530563169e5aeaea4c5fb14d68f160e3a1cc898
SHA2566a6e5266fc14622a13674530b8ae7b37c0d2de6b3ab797c789f13ee23b0cc53e
SHA512a94b97e6abb4c253a051f70ceb62aef1af0c86752e91e7274ec4d0416fa26dca0e711cfdc444a598b207caf3ad953ef8bf9675af70b4951ae56e78757b468f21
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD51c55bf2921a2794845b046dd317ab941
SHA1558f6c725d67c19fd115e181d558a61deb5e62c3
SHA256843b947c53c5c2af2469d0ca781468870c0064b2225b4fdecc11e6cc24951ec8
SHA512aa72e9ae7b77994b42f7d82eee00ca1bbfb8522597bd226c4cee3438d904fb673b6e89348e366e5a86aa452dad38d1f5b64a14bbda01f5fdb1c7459d0825746b
-
memory/1300-55-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/1300-3-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/1300-1-0x0000000003DB0000-0x00000000041B8000-memory.dmpFilesize
4.0MB
-
memory/1300-2-0x00000000041C0000-0x0000000004AAB000-memory.dmpFilesize
8.9MB
-
memory/1300-58-0x00000000041C0000-0x0000000004AAB000-memory.dmpFilesize
8.9MB
-
memory/1300-57-0x0000000003DB0000-0x00000000041B8000-memory.dmpFilesize
4.0MB
-
memory/2644-75-0x00000000708C0000-0x000000007090C000-memory.dmpFilesize
304KB
-
memory/2644-61-0x0000000002880000-0x0000000002890000-memory.dmpFilesize
64KB
-
memory/2644-92-0x0000000074A00000-0x00000000751B0000-memory.dmpFilesize
7.7MB
-
memory/2644-89-0x00000000077A0000-0x00000000077B4000-memory.dmpFilesize
80KB
-
memory/2644-88-0x0000000007750000-0x0000000007761000-memory.dmpFilesize
68KB
-
memory/2644-86-0x0000000002880000-0x0000000002890000-memory.dmpFilesize
64KB
-
memory/2644-87-0x0000000007220000-0x00000000072C3000-memory.dmpFilesize
652KB
-
memory/2644-76-0x0000000071060000-0x00000000713B4000-memory.dmpFilesize
3.3MB
-
memory/2644-74-0x000000007F040000-0x000000007F050000-memory.dmpFilesize
64KB
-
memory/2644-73-0x00000000062B0000-0x00000000062FC000-memory.dmpFilesize
304KB
-
memory/2644-65-0x0000000005C50000-0x0000000005FA4000-memory.dmpFilesize
3.3MB
-
memory/2644-62-0x0000000002880000-0x0000000002890000-memory.dmpFilesize
64KB
-
memory/2644-60-0x0000000074A00000-0x00000000751B0000-memory.dmpFilesize
7.7MB
-
memory/3476-304-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3476-278-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3672-125-0x0000000074A00000-0x00000000751B0000-memory.dmpFilesize
7.7MB
-
memory/3672-127-0x0000000002460000-0x0000000002470000-memory.dmpFilesize
64KB
-
memory/3672-126-0x0000000002460000-0x0000000002470000-memory.dmpFilesize
64KB
-
memory/3700-305-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/3700-356-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/3700-266-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/3700-275-0x00000000750D0000-0x00000000750ED000-memory.dmpFilesize
116KB
-
memory/3700-456-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/3700-432-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/3700-413-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/3700-279-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/3700-292-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/3700-394-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/3700-276-0x00000000750C0000-0x00000000750D0000-memory.dmpFilesize
64KB
-
memory/3700-318-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/3700-337-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/3700-251-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/3700-375-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/3744-111-0x0000000070A40000-0x0000000070D94000-memory.dmpFilesize
3.3MB
-
memory/3744-109-0x00000000708C0000-0x000000007090C000-memory.dmpFilesize
304KB
-
memory/3744-121-0x0000000004E90000-0x0000000004EA0000-memory.dmpFilesize
64KB
-
memory/3744-122-0x0000000004E90000-0x0000000004EA0000-memory.dmpFilesize
64KB
-
memory/3744-124-0x0000000074A00000-0x00000000751B0000-memory.dmpFilesize
7.7MB
-
memory/3744-110-0x000000007F0F0000-0x000000007F100000-memory.dmpFilesize
64KB
-
memory/3744-95-0x0000000004E90000-0x0000000004EA0000-memory.dmpFilesize
64KB
-
memory/3744-94-0x0000000074A00000-0x00000000751B0000-memory.dmpFilesize
7.7MB
-
memory/3744-96-0x0000000004E90000-0x0000000004EA0000-memory.dmpFilesize
64KB
-
memory/3744-106-0x0000000005DD0000-0x0000000006124000-memory.dmpFilesize
3.3MB
-
memory/3912-23-0x0000000005B70000-0x0000000005BBC000-memory.dmpFilesize
304KB
-
memory/3912-50-0x0000000007240000-0x0000000007248000-memory.dmpFilesize
32KB
-
memory/3912-25-0x0000000006C00000-0x0000000006C76000-memory.dmpFilesize
472KB
-
memory/3912-10-0x0000000004B90000-0x0000000004BF6000-memory.dmpFilesize
408KB
-
memory/3912-11-0x00000000052C0000-0x0000000005326000-memory.dmpFilesize
408KB
-
memory/3912-26-0x0000000007500000-0x0000000007B7A000-memory.dmpFilesize
6.5MB
-
memory/3912-18-0x00000000054B0000-0x0000000005804000-memory.dmpFilesize
3.3MB
-
memory/3912-22-0x0000000005AD0000-0x0000000005AEE000-memory.dmpFilesize
120KB
-
memory/3912-27-0x0000000006EA0000-0x0000000006EBA000-memory.dmpFilesize
104KB
-
memory/3912-24-0x0000000006040000-0x0000000006084000-memory.dmpFilesize
272KB
-
memory/3912-53-0x0000000074920000-0x00000000750D0000-memory.dmpFilesize
7.7MB
-
memory/3912-8-0x0000000004650000-0x0000000004660000-memory.dmpFilesize
64KB
-
memory/3912-6-0x0000000004C90000-0x00000000052B8000-memory.dmpFilesize
6.2MB
-
memory/3912-29-0x0000000007050000-0x0000000007082000-memory.dmpFilesize
200KB
-
memory/3912-7-0x0000000004650000-0x0000000004660000-memory.dmpFilesize
64KB
-
memory/3912-5-0x0000000074920000-0x00000000750D0000-memory.dmpFilesize
7.7MB
-
memory/3912-4-0x0000000004500000-0x0000000004536000-memory.dmpFilesize
216KB
-
memory/3912-9-0x0000000004AF0000-0x0000000004B12000-memory.dmpFilesize
136KB
-
memory/3912-28-0x000000007FB90000-0x000000007FBA0000-memory.dmpFilesize
64KB
-
memory/3912-49-0x0000000007300000-0x000000000731A000-memory.dmpFilesize
104KB
-
memory/3912-48-0x0000000007210000-0x0000000007224000-memory.dmpFilesize
80KB
-
memory/3912-47-0x0000000007200000-0x000000000720E000-memory.dmpFilesize
56KB
-
memory/3912-46-0x00000000071C0000-0x00000000071D1000-memory.dmpFilesize
68KB
-
memory/3912-45-0x0000000007260000-0x00000000072F6000-memory.dmpFilesize
600KB
-
memory/3912-44-0x00000000071A0000-0x00000000071AA000-memory.dmpFilesize
40KB
-
memory/3912-42-0x0000000004650000-0x0000000004660000-memory.dmpFilesize
64KB
-
memory/3912-43-0x00000000070B0000-0x0000000007153000-memory.dmpFilesize
652KB
-
memory/3912-41-0x0000000007090000-0x00000000070AE000-memory.dmpFilesize
120KB
-
memory/3912-31-0x0000000070F20000-0x0000000071274000-memory.dmpFilesize
3.3MB
-
memory/3912-30-0x00000000707C0000-0x000000007080C000-memory.dmpFilesize
304KB
-
memory/4652-158-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/4652-56-0x0000000003B30000-0x0000000003F29000-memory.dmpFilesize
4.0MB
-
memory/4652-59-0x0000000000400000-0x0000000001E06000-memory.dmpFilesize
26.0MB
-
memory/4652-108-0x0000000003B30000-0x0000000003F29000-memory.dmpFilesize
4.0MB
-
memory/4972-265-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB