Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
20-04-2024 21:32
General
-
Target
7f54c76d79940af03f00b3b9b537536ebd74d1f57b7c5da45f9a2ec0b6b3bea0.exe
-
Size
4.2MB
-
MD5
4c86430e2a35691b0b38cce6cde9255d
-
SHA1
bc6c21527c29c084b11c1088d80d51396f5eb8a8
-
SHA256
7f54c76d79940af03f00b3b9b537536ebd74d1f57b7c5da45f9a2ec0b6b3bea0
-
SHA512
cdad7e37bd3860e0a5a45f738950f831eb4a2376f3dfce979b67887f6d45321030a2a4b327f56d123434039bcbd018a1561823ce0423e4b96deba48823d38834
-
SSDEEP
98304:SB6TE4JDSTIitXqfSjBwF+v4rSSNjcdSqGUwT7RQU7O+:PTFmTI8qKjKFA4r+dAh7RQUn
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 20 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f54c76d79940af03f00b3b9b537536ebd74d1f57b7c5da45f9a2ec0b6b3bea0.exe"C:\Users\Admin\AppData\Local\Temp\7f54c76d79940af03f00b3b9b537536ebd74d1f57b7c5da45f9a2ec0b6b3bea0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7f54c76d79940af03f00b3b9b537536ebd74d1f57b7c5da45f9a2ec0b6b3bea0.exe"C:\Users\Admin\AppData\Local\Temp\7f54c76d79940af03f00b3b9b537536ebd74d1f57b7c5da45f9a2ec0b6b3bea0.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sn0fpnr3.l11.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD52d91e5f5f46d302f1339cd9ff08407d8
SHA1a3bbde1ea28b3661fe8a3a2f637743f15e95becd
SHA256df0a601c4674132e6a7b1694f1655f3bc06e5c9ec4edad83645ac40db1bd18bd
SHA512ead16504682c3f31da540e21cbb779d5107f344bdb8bfb38be381e5e4c8642cc7098b44e43631a9f1cbfec2312719090db5c200e97f06de4613d80016faaaa2b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD58e3763a6f4a69b692b64ef13eae1cf37
SHA16d4d1437968c55027bf3d83d2c53ef9240ea65dc
SHA25697a7eefab05cc71c11dc2b511fe902b516c47fff8013d55819d19d194a849458
SHA5128ae66b8b29b035cf8e7966497198da7b3eed74dbb8a1e91f3dece9cf1c7c861bd32cc929654391306444751a3b9e3d3889aa936e1f9ecc17864a7e1f911d26c7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD58b33c3f0acd8a26d206ba588401afe55
SHA13693593c49e62d9823091ce0bd69bc0280e9c808
SHA256e7bd5db33b8beed9cd9347ba250d5c2e0c37b5025e895d14782a3c77883db564
SHA512fb083399cf829d0eb7b2ff386d2e4af4340eefac99b57dece1f9bd80732118e5140e9ffb6948c93d2fe7e0b3fc1855af5b2dd5551d3fff2d3c8d997f8f00101b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5522e03ea5301b240778cb42afbf813e9
SHA109de097a0fe168a04afcce41b42fb2cc97d082c9
SHA25694142bd7f61f6fb4ca2dc8157377c26c4cd183b337f190a805cfef0356ef1d95
SHA5128e72340e69f9f584d7767c97c1c71ad6e97a5f005132667fc79bee3107af393c8d1343e2dfd8d1a7dba094182aec023f7335415677254f098c2bd87f3bec1c64
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5fed90fbbd63b93172221d7ab667812f3
SHA1f631f1041e9f738fcb7498c5df8a908a0839e50a
SHA25633a4cc1b926de6a4314d3fa1daf5b8e003f9d7ed8e555231f651fd8448578b4b
SHA512b9b7e7dba6e1c6d832dc141fa8a53052c3c0b1186663b487f31783edcd1ae9a385fa4c4cc097395372b90bf45cbd55300f546201e2345141f0d2b492cbe3c2c3
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD54c86430e2a35691b0b38cce6cde9255d
SHA1bc6c21527c29c084b11c1088d80d51396f5eb8a8
SHA2567f54c76d79940af03f00b3b9b537536ebd74d1f57b7c5da45f9a2ec0b6b3bea0
SHA512cdad7e37bd3860e0a5a45f738950f831eb4a2376f3dfce979b67887f6d45321030a2a4b327f56d123434039bcbd018a1561823ce0423e4b96deba48823d38834
-
memory/448-46-0x0000000007340000-0x0000000007351000-memory.dmpFilesize
68KB
-
memory/448-44-0x0000000007320000-0x000000000732A000-memory.dmpFilesize
40KB
-
memory/448-10-0x0000000004D90000-0x0000000004DF6000-memory.dmpFilesize
408KB
-
memory/448-18-0x00000000055B0000-0x0000000005904000-memory.dmpFilesize
3.3MB
-
memory/448-22-0x0000000005C40000-0x0000000005C5E000-memory.dmpFilesize
120KB
-
memory/448-23-0x0000000005D00000-0x0000000005D4C000-memory.dmpFilesize
304KB
-
memory/448-24-0x0000000006070000-0x00000000060B4000-memory.dmpFilesize
272KB
-
memory/448-25-0x0000000006F80000-0x0000000006FF6000-memory.dmpFilesize
472KB
-
memory/448-27-0x0000000007020000-0x000000000703A000-memory.dmpFilesize
104KB
-
memory/448-26-0x0000000007680000-0x0000000007CFA000-memory.dmpFilesize
6.5MB
-
memory/448-42-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/448-41-0x0000000007210000-0x000000000722E000-memory.dmpFilesize
120KB
-
memory/448-43-0x0000000007230000-0x00000000072D3000-memory.dmpFilesize
652KB
-
memory/448-31-0x00000000709C0000-0x0000000070D14000-memory.dmpFilesize
3.3MB
-
memory/448-30-0x00000000705D0000-0x000000007061C000-memory.dmpFilesize
304KB
-
memory/448-29-0x00000000071D0000-0x0000000007202000-memory.dmpFilesize
200KB
-
memory/448-28-0x000000007FA80000-0x000000007FA90000-memory.dmpFilesize
64KB
-
memory/448-7-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/448-45-0x00000000073E0000-0x0000000007476000-memory.dmpFilesize
600KB
-
memory/448-9-0x0000000004CF0000-0x0000000004D12000-memory.dmpFilesize
136KB
-
memory/448-47-0x0000000007380000-0x000000000738E000-memory.dmpFilesize
56KB
-
memory/448-48-0x0000000007390000-0x00000000073A4000-memory.dmpFilesize
80KB
-
memory/448-49-0x0000000007480000-0x000000000749A000-memory.dmpFilesize
104KB
-
memory/448-50-0x00000000073D0000-0x00000000073D8000-memory.dmpFilesize
32KB
-
memory/448-53-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB
-
memory/448-11-0x0000000004E70000-0x0000000004ED6000-memory.dmpFilesize
408KB
-
memory/448-8-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/448-5-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB
-
memory/448-6-0x0000000004F80000-0x00000000055A8000-memory.dmpFilesize
6.2MB
-
memory/448-4-0x0000000002610000-0x0000000002646000-memory.dmpFilesize
216KB
-
memory/1908-59-0x0000000003E60000-0x000000000474B000-memory.dmpFilesize
8.9MB
-
memory/1908-3-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1908-2-0x0000000003E60000-0x000000000474B000-memory.dmpFilesize
8.9MB
-
memory/1908-57-0x0000000003A60000-0x0000000003E59000-memory.dmpFilesize
4.0MB
-
memory/1908-73-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1908-1-0x0000000003A60000-0x0000000003E59000-memory.dmpFilesize
4.0MB
-
memory/3092-281-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3092-263-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3092-261-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3092-259-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3092-257-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3092-265-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3092-267-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3092-269-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3092-271-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3092-273-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3092-275-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3092-277-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3092-279-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3192-122-0x00000000033E0000-0x00000000033F0000-memory.dmpFilesize
64KB
-
memory/3192-96-0x00000000033E0000-0x00000000033F0000-memory.dmpFilesize
64KB
-
memory/3192-112-0x0000000070D50000-0x00000000710A4000-memory.dmpFilesize
3.3MB
-
memory/3192-111-0x000000007EFD0000-0x000000007EFE0000-memory.dmpFilesize
64KB
-
memory/3192-110-0x00000000705D0000-0x000000007061C000-memory.dmpFilesize
304KB
-
memory/3192-95-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB
-
memory/3192-124-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB
-
memory/3192-97-0x00000000033E0000-0x00000000033F0000-memory.dmpFilesize
64KB
-
memory/3192-98-0x0000000006300000-0x0000000006654000-memory.dmpFilesize
3.3MB
-
memory/3432-125-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB
-
memory/3432-126-0x00000000034C0000-0x00000000034D0000-memory.dmpFilesize
64KB
-
memory/4432-58-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4432-156-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4432-55-0x0000000003AB0000-0x0000000003EAF000-memory.dmpFilesize
4.0MB
-
memory/4432-56-0x0000000003EB0000-0x000000000479B000-memory.dmpFilesize
8.9MB
-
memory/4432-109-0x0000000003AB0000-0x0000000003EAF000-memory.dmpFilesize
4.0MB
-
memory/4464-89-0x00000000076D0000-0x00000000076E1000-memory.dmpFilesize
68KB
-
memory/4464-76-0x0000000070770000-0x0000000070AC4000-memory.dmpFilesize
3.3MB
-
memory/4464-86-0x00000000073B0000-0x0000000007453000-memory.dmpFilesize
652KB
-
memory/4464-88-0x0000000004DA0000-0x0000000004DB0000-memory.dmpFilesize
64KB
-
memory/4464-87-0x0000000004DA0000-0x0000000004DB0000-memory.dmpFilesize
64KB
-
memory/4464-75-0x00000000705D0000-0x000000007061C000-memory.dmpFilesize
304KB
-
memory/4464-72-0x0000000005D00000-0x0000000006054000-memory.dmpFilesize
3.3MB
-
memory/4464-71-0x0000000004DA0000-0x0000000004DB0000-memory.dmpFilesize
64KB
-
memory/4464-61-0x0000000004DA0000-0x0000000004DB0000-memory.dmpFilesize
64KB
-
memory/4464-60-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB
-
memory/4464-74-0x000000007EF90000-0x000000007EFA0000-memory.dmpFilesize
64KB
-
memory/4464-90-0x0000000007720000-0x0000000007734000-memory.dmpFilesize
80KB
-
memory/4464-93-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB