Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
20-04-2024 15:27
General
-
Target
5adcf97178cde6104de0bff9b725af1e1445ccc843257400dcca2fff5e454c9b.exe
-
Size
4.2MB
-
MD5
2b596a8638205ca939c5a25260b86acc
-
SHA1
418a5b80b82440d26e5e8f0955bbf02f739decac
-
SHA256
5adcf97178cde6104de0bff9b725af1e1445ccc843257400dcca2fff5e454c9b
-
SHA512
7a417ba0a3e3ef70d8466bea1e7d1a031b426d76fc0ef80cdcc28dc96988c364992446dd0c878caa0cfef79fdfd12cd4ace152cbf896a43e58b355d90cd32737
-
SSDEEP
49152:JKOdvREmi8iTwPpeYBnAu4QJI7RESGN2UNQnUyHdr+bW0USBgrsqhT/DWSjgq2Sb:AOLEfT6eYBhfhWV+b2vbWNq2SbuhRi
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 16 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5adcf97178cde6104de0bff9b725af1e1445ccc843257400dcca2fff5e454c9b.exe"C:\Users\Admin\AppData\Local\Temp\5adcf97178cde6104de0bff9b725af1e1445ccc843257400dcca2fff5e454c9b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5adcf97178cde6104de0bff9b725af1e1445ccc843257400dcca2fff5e454c9b.exe"C:\Users\Admin\AppData\Local\Temp\5adcf97178cde6104de0bff9b725af1e1445ccc843257400dcca2fff5e454c9b.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3736 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p3ntojw3.0jr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5171acbc405e718cc02d2948a443e29fb
SHA1202624cd23fb6ef01e235ca958d700dc02a4c904
SHA256731a5af1c5e23c8634abbaffba3801b7ca26d584442686999f7481fcbda8dec9
SHA5126d84a6ae8681f624c4a7d3b26da9f9a1b1a325131d808f3cc8a393442568753fc9fea9a83c1759866b2a8edbef4ea924d1084b296184417f8efcbe4e69a58c2d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5fc19cb202cca4f44dccb484552dacf25
SHA13172f8eae5babc1da89135cd254075fa71afb218
SHA2562ed542b846f5b99c49ca679dc0c6e296b04c12408354baa47a861d8d78e83adf
SHA51273571c0a1cec1abd7d28558e701204bcc2adb0b3918fad6c0ace9c134e6d1f84769f4abc7b92ae662253de9dfea8b65a51b7f6c9819f59953b22c609b85026c3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD59b07a6eacc80d7d59e08825c0eceef5a
SHA1246090d97bd6ab68f514e28ce2d5e459336523b6
SHA25668fe0d594c715d5dfdb0a86cbd51192a2d441ebc7fc1520291d5324f58eab980
SHA5129f6af4930f4003c026e180c2e812d91befa7481a98fd6500f13ac08d8fd89e3be8268e430e77503f718fe2807766d35101cf2f7b5b89a7385ef205332797e0aa
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD595e9fc008d0b3183b19b39f37be0c273
SHA124de0ac548fe653810ed8f2a79201fd30c85374a
SHA25677dda20b4f67d180cf19cf4f9c3fd89dbecaa84472125b15b3b2ea8c1bb4c1c8
SHA51206e92eafc1b760a66e014cfcdb5e71a8a1536ac3282912bab97b2f2b3825f580089a34c89ee0765210d1677754ace08c8dfb5a9895d8a789dfa87a292480592a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5e65e35642273336dd7e71e5a5dba0888
SHA1ceb34f44aa51b99f280edcfe187a053f061dc90b
SHA256b7db57bf21e37c33e3629b38e0b276039216c7670fe65fdd4302e9714ad2a8c2
SHA512ac67091964232a33570770a008349eeeed003080ce3e2e67c138da951afabc9b39372f8a9a5cc55917d5bb70032e138ced58fe06927ca00cb00925502e937c3c
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD52b596a8638205ca939c5a25260b86acc
SHA1418a5b80b82440d26e5e8f0955bbf02f739decac
SHA2565adcf97178cde6104de0bff9b725af1e1445ccc843257400dcca2fff5e454c9b
SHA5127a417ba0a3e3ef70d8466bea1e7d1a031b426d76fc0ef80cdcc28dc96988c364992446dd0c878caa0cfef79fdfd12cd4ace152cbf896a43e58b355d90cd32737
-
memory/608-142-0x0000000074610000-0x0000000074DC0000-memory.dmpFilesize
7.7MB
-
memory/2140-67-0x000000007F750000-0x000000007F760000-memory.dmpFilesize
64KB
-
memory/2140-57-0x0000000007A70000-0x0000000007A81000-memory.dmpFilesize
68KB
-
memory/2140-12-0x00000000050F0000-0x0000000005112000-memory.dmpFilesize
136KB
-
memory/2140-13-0x0000000005440000-0x00000000054A6000-memory.dmpFilesize
408KB
-
memory/2140-14-0x00000000054B0000-0x0000000005516000-memory.dmpFilesize
408KB
-
memory/2140-5-0x0000000074610000-0x0000000074DC0000-memory.dmpFilesize
7.7MB
-
memory/2140-20-0x0000000005D30000-0x0000000006084000-memory.dmpFilesize
3.3MB
-
memory/2140-26-0x0000000006390000-0x00000000063AE000-memory.dmpFilesize
120KB
-
memory/2140-27-0x0000000006460000-0x00000000064AC000-memory.dmpFilesize
304KB
-
memory/2140-28-0x0000000074610000-0x0000000074DC0000-memory.dmpFilesize
7.7MB
-
memory/2140-29-0x0000000004FC0000-0x0000000004FD0000-memory.dmpFilesize
64KB
-
memory/2140-30-0x0000000006890000-0x00000000068D4000-memory.dmpFilesize
272KB
-
memory/2140-32-0x0000000004FC0000-0x0000000004FD0000-memory.dmpFilesize
64KB
-
memory/2140-33-0x0000000004FC0000-0x0000000004FD0000-memory.dmpFilesize
64KB
-
memory/2140-34-0x0000000007690000-0x0000000007706000-memory.dmpFilesize
472KB
-
memory/2140-7-0x0000000002A30000-0x0000000002A66000-memory.dmpFilesize
216KB
-
memory/2140-36-0x0000000007E10000-0x000000000848A000-memory.dmpFilesize
6.5MB
-
memory/2140-37-0x00000000077C0000-0x00000000077DA000-memory.dmpFilesize
104KB
-
memory/2140-39-0x000000007F750000-0x000000007F760000-memory.dmpFilesize
64KB
-
memory/2140-40-0x0000000007860000-0x0000000007892000-memory.dmpFilesize
200KB
-
memory/2140-41-0x00000000704B0000-0x00000000704FC000-memory.dmpFilesize
304KB
-
memory/2140-42-0x0000000070650000-0x00000000709A4000-memory.dmpFilesize
3.3MB
-
memory/2140-52-0x0000000007800000-0x000000000781E000-memory.dmpFilesize
120KB
-
memory/2140-53-0x0000000007960000-0x0000000007A03000-memory.dmpFilesize
652KB
-
memory/2140-6-0x0000000004FC0000-0x0000000004FD0000-memory.dmpFilesize
64KB
-
memory/2140-55-0x0000000007AD0000-0x0000000007ADA000-memory.dmpFilesize
40KB
-
memory/2140-56-0x0000000007B80000-0x0000000007C16000-memory.dmpFilesize
600KB
-
memory/2140-8-0x0000000005600000-0x0000000005C28000-memory.dmpFilesize
6.2MB
-
memory/2140-58-0x0000000004FC0000-0x0000000004FD0000-memory.dmpFilesize
64KB
-
memory/2140-60-0x0000000000E90000-0x0000000000E9E000-memory.dmpFilesize
56KB
-
memory/2140-61-0x0000000000EA0000-0x0000000000EB4000-memory.dmpFilesize
80KB
-
memory/2140-62-0x0000000007AB0000-0x0000000007ACA000-memory.dmpFilesize
104KB
-
memory/2140-63-0x0000000000EE0000-0x0000000000EE8000-memory.dmpFilesize
32KB
-
memory/2140-68-0x0000000074610000-0x0000000074DC0000-memory.dmpFilesize
7.7MB
-
memory/2160-124-0x00000000061C0000-0x0000000006514000-memory.dmpFilesize
3.3MB
-
memory/2160-113-0x00000000050D0000-0x00000000050E0000-memory.dmpFilesize
64KB
-
memory/2160-127-0x00000000704B0000-0x00000000704FC000-memory.dmpFilesize
304KB
-
memory/2160-126-0x000000007FB80000-0x000000007FB90000-memory.dmpFilesize
64KB
-
memory/2160-114-0x00000000050D0000-0x00000000050E0000-memory.dmpFilesize
64KB
-
memory/2160-112-0x0000000074610000-0x0000000074DC0000-memory.dmpFilesize
7.7MB
-
memory/2160-128-0x0000000070630000-0x0000000070984000-memory.dmpFilesize
3.3MB
-
memory/2160-139-0x0000000074610000-0x0000000074DC0000-memory.dmpFilesize
7.7MB
-
memory/3468-104-0x0000000007500000-0x0000000007514000-memory.dmpFilesize
80KB
-
memory/3468-87-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/3468-75-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/3468-89-0x00000000704B0000-0x00000000704FC000-memory.dmpFilesize
304KB
-
memory/3468-88-0x000000007F920000-0x000000007F930000-memory.dmpFilesize
64KB
-
memory/3468-90-0x0000000070C30000-0x0000000070F84000-memory.dmpFilesize
3.3MB
-
memory/3468-100-0x0000000007180000-0x0000000007223000-memory.dmpFilesize
652KB
-
memory/3468-74-0x0000000074610000-0x0000000074DC0000-memory.dmpFilesize
7.7MB
-
memory/3468-101-0x0000000007490000-0x00000000074A1000-memory.dmpFilesize
68KB
-
memory/3468-78-0x0000000005920000-0x0000000005C74000-memory.dmpFilesize
3.3MB
-
memory/3468-107-0x0000000074610000-0x0000000074DC0000-memory.dmpFilesize
7.7MB
-
memory/3468-76-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/3540-35-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3540-4-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3540-2-0x0000000004060000-0x000000000494B000-memory.dmpFilesize
8.9MB
-
memory/3540-3-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3540-9-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3540-10-0x0000000003C50000-0x0000000004055000-memory.dmpFilesize
4.0MB
-
memory/3540-73-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3540-54-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3540-11-0x0000000004060000-0x000000000494B000-memory.dmpFilesize
8.9MB
-
memory/3540-1-0x0000000003C50000-0x0000000004055000-memory.dmpFilesize
4.0MB
-
memory/3540-64-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3796-210-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3796-267-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3828-141-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3828-70-0x0000000003BC0000-0x0000000003FC5000-memory.dmpFilesize
4.0MB
-
memory/3828-72-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3828-173-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3828-103-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3828-71-0x0000000003FD0000-0x00000000048BB000-memory.dmpFilesize
8.9MB
-
memory/3828-108-0x0000000003BC0000-0x0000000003FC5000-memory.dmpFilesize
4.0MB
-
memory/3828-109-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB