Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
20-04-2024 16:10
General
-
Target
eeaeda4675cfb552f8be5387f6b10b527017bf8a76bce34d8b0fdd631bd32bcb.exe
-
Size
4.2MB
-
MD5
389c0a78675c61549372368b2650b715
-
SHA1
a6fad5d4d0cf7949a8bc2a57d655968bb77aa0d9
-
SHA256
eeaeda4675cfb552f8be5387f6b10b527017bf8a76bce34d8b0fdd631bd32bcb
-
SHA512
ecfab749f687a774c766634a1af432a769a232de86337c2c7c418506923978d20a9cd229cdc8e1ec869d86dc02fb66182d1fd978a66affbfa268c731ca770318
-
SSDEEP
49152:Ar1oHj0tlV0f9s8MWzX04BUpcYbKwdRAyQZQ93cNVdRbmMzimZc5ZnjMAqqwRi8X:ABcwtA9b44emOBqNRUORBLE4Ajzs
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 18 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeaeda4675cfb552f8be5387f6b10b527017bf8a76bce34d8b0fdd631bd32bcb.exe"C:\Users\Admin\AppData\Local\Temp\eeaeda4675cfb552f8be5387f6b10b527017bf8a76bce34d8b0fdd631bd32bcb.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\eeaeda4675cfb552f8be5387f6b10b527017bf8a76bce34d8b0fdd631bd32bcb.exe"C:\Users\Admin\AppData\Local\Temp\eeaeda4675cfb552f8be5387f6b10b527017bf8a76bce34d8b0fdd631bd32bcb.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gtm21o1w.ooe.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD53c2f204d8c52106dd8e4203200262f5a
SHA1ea4b32176b2c711bf9e4830f968d47872c84f703
SHA2564f39cc1f829c258f3da92b98db0f1cc61882553d06062dc15d526c630c47609d
SHA5122e4496a4b612e05055a9b60ac826ba3bffe77009f4296166dd6a795f0229e317eee68931752abec7c3172e488426b8a9e430331f6914a596455cdf8a80af215c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5330b220968d1d5bcbc464645e1b49bd9
SHA1e67bd33c66956838940e83a0f9ff4387ccae907e
SHA2565057b54f2f1b4736c88e47fae1a1cbd368930565ddf59edce143b12ec23a8f3a
SHA512c5d632a02065de22ca2f695ac407cb215165a21b19239219a8faf927aa9221e9e55bea313addf11c6d38f64210232b684379c193912438ec78be7399282bc80c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD58a33c8a897386592272d98a1164e7b2d
SHA13f6fdc43f7b0bc3d7a3e374d7303e02c97027eaa
SHA25642266624440142ab59d6705a84fdd7622bb0645182fa6d69093845a682d60ded
SHA5120ff61d605b807bf962402b87e93b2f230dc98dcfafb3e94feeafa8ed6242a04b4ce724b1715fa314e55d64b9d9bf15adf95a777eeb861bbf84fda5f9490e1eea
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5de8617acf38ff02bbe76ed333257c19b
SHA1ed0e1eb130f6b363043ab58d7dee378d06aa3c3e
SHA25602514b59d45bdff56577691a11f1d38491365b0a30e15c7138c09ef0a5eea6a8
SHA51240525cf64ba93f4bb12fa01fe243ffdcdd59e4aa0235f9fed15986fd6b1bb8d8c61accca7e541fa8b6ee22c8e7faf0d404104dd594cca3f85bce57738efc907e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5011c30901dc7cadb550f852a5e19300c
SHA1f909bd610b0b0cad189f5a036747cf320ad060b6
SHA25652b23f36021b8412296c0ae82a5f0cca60d12265db410c52e11c3e8f888627f1
SHA5121e1e462e6563370d13ed88ebc5f165789ea7fcd04371bdd150975f5606eacebd9b454daef2949bfa0e251278c2234b5808fb60ba6e528812dbc497b483150861
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD5389c0a78675c61549372368b2650b715
SHA1a6fad5d4d0cf7949a8bc2a57d655968bb77aa0d9
SHA256eeaeda4675cfb552f8be5387f6b10b527017bf8a76bce34d8b0fdd631bd32bcb
SHA512ecfab749f687a774c766634a1af432a769a232de86337c2c7c418506923978d20a9cd229cdc8e1ec869d86dc02fb66182d1fd978a66affbfa268c731ca770318
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/252-141-0x0000000074250000-0x0000000074A01000-memory.dmpFilesize
7.7MB
-
memory/252-128-0x00000000704C0000-0x000000007050C000-memory.dmpFilesize
304KB
-
memory/252-129-0x00000000706D0000-0x0000000070A27000-memory.dmpFilesize
3.3MB
-
memory/252-139-0x0000000002B70000-0x0000000002B80000-memory.dmpFilesize
64KB
-
memory/252-122-0x0000000005C00000-0x0000000005F57000-memory.dmpFilesize
3.3MB
-
memory/252-116-0x0000000002B70000-0x0000000002B80000-memory.dmpFilesize
64KB
-
memory/252-115-0x0000000002B70000-0x0000000002B80000-memory.dmpFilesize
64KB
-
memory/252-114-0x0000000074250000-0x0000000074A01000-memory.dmpFilesize
7.7MB
-
memory/660-248-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1008-81-0x0000000007130000-0x0000000007145000-memory.dmpFilesize
84KB
-
memory/1008-54-0x0000000074250000-0x0000000074A01000-memory.dmpFilesize
7.7MB
-
memory/1008-84-0x0000000074250000-0x0000000074A01000-memory.dmpFilesize
7.7MB
-
memory/1008-80-0x00000000070E0000-0x00000000070F1000-memory.dmpFilesize
68KB
-
memory/1008-79-0x0000000002320000-0x0000000002330000-memory.dmpFilesize
64KB
-
memory/1008-78-0x000000007EF90000-0x000000007EFA0000-memory.dmpFilesize
64KB
-
memory/1008-77-0x0000000006D90000-0x0000000006E34000-memory.dmpFilesize
656KB
-
memory/1008-68-0x00000000706F0000-0x0000000070A47000-memory.dmpFilesize
3.3MB
-
memory/1008-67-0x00000000704C0000-0x000000007050C000-memory.dmpFilesize
304KB
-
memory/1008-65-0x0000000005630000-0x0000000005987000-memory.dmpFilesize
3.3MB
-
memory/1008-55-0x0000000002320000-0x0000000002330000-memory.dmpFilesize
64KB
-
memory/1008-56-0x0000000002320000-0x0000000002330000-memory.dmpFilesize
64KB
-
memory/1408-53-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/1408-146-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/1408-52-0x0000000003B60000-0x0000000003F5C000-memory.dmpFilesize
4.0MB
-
memory/1408-113-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/1408-138-0x0000000003B60000-0x0000000003F5C000-memory.dmpFilesize
4.0MB
-
memory/1492-252-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1492-267-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1492-258-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1840-271-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/1840-253-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/1840-265-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/1840-268-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/1840-259-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/1840-274-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/1840-277-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/1840-250-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/1840-280-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/1840-240-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/1840-262-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/1840-256-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/2040-5-0x0000000074250000-0x0000000074A01000-memory.dmpFilesize
7.7MB
-
memory/2040-7-0x0000000005000000-0x000000000562A000-memory.dmpFilesize
6.2MB
-
memory/2040-37-0x00000000070D0000-0x0000000007174000-memory.dmpFilesize
656KB
-
memory/2040-38-0x0000000007840000-0x0000000007EBA000-memory.dmpFilesize
6.5MB
-
memory/2040-39-0x0000000007200000-0x000000000721A000-memory.dmpFilesize
104KB
-
memory/2040-40-0x0000000007240000-0x000000000724A000-memory.dmpFilesize
40KB
-
memory/2040-41-0x0000000007300000-0x0000000007396000-memory.dmpFilesize
600KB
-
memory/2040-42-0x0000000007270000-0x0000000007281000-memory.dmpFilesize
68KB
-
memory/2040-43-0x00000000072B0000-0x00000000072BE000-memory.dmpFilesize
56KB
-
memory/2040-25-0x00000000704C0000-0x000000007050C000-memory.dmpFilesize
304KB
-
memory/2040-24-0x0000000007070000-0x00000000070A4000-memory.dmpFilesize
208KB
-
memory/2040-23-0x000000007F2F0000-0x000000007F300000-memory.dmpFilesize
64KB
-
memory/2040-22-0x0000000006090000-0x00000000060D6000-memory.dmpFilesize
280KB
-
memory/2040-21-0x0000000005910000-0x000000000595C000-memory.dmpFilesize
304KB
-
memory/2040-20-0x00000000058E0000-0x00000000058FE000-memory.dmpFilesize
120KB
-
memory/2040-19-0x0000000005A10000-0x0000000005D67000-memory.dmpFilesize
3.3MB
-
memory/2040-44-0x00000000072C0000-0x00000000072D5000-memory.dmpFilesize
84KB
-
memory/2040-15-0x0000000004EB0000-0x0000000004F16000-memory.dmpFilesize
408KB
-
memory/2040-9-0x0000000004D40000-0x0000000004DA6000-memory.dmpFilesize
408KB
-
memory/2040-8-0x0000000004CA0000-0x0000000004CC2000-memory.dmpFilesize
136KB
-
memory/2040-45-0x00000000073C0000-0x00000000073DA000-memory.dmpFilesize
104KB
-
memory/2040-26-0x0000000070640000-0x0000000070997000-memory.dmpFilesize
3.3MB
-
memory/2040-6-0x0000000002970000-0x0000000002980000-memory.dmpFilesize
64KB
-
memory/2040-35-0x00000000070B0000-0x00000000070CE000-memory.dmpFilesize
120KB
-
memory/2040-4-0x0000000002420000-0x0000000002456000-memory.dmpFilesize
216KB
-
memory/2040-36-0x0000000002970000-0x0000000002980000-memory.dmpFilesize
64KB
-
memory/2040-46-0x00000000073E0000-0x00000000073E8000-memory.dmpFilesize
32KB
-
memory/2040-49-0x0000000074250000-0x0000000074A01000-memory.dmpFilesize
7.7MB
-
memory/2776-110-0x0000000005050000-0x0000000005060000-memory.dmpFilesize
64KB
-
memory/2776-112-0x0000000074250000-0x0000000074A01000-memory.dmpFilesize
7.7MB
-
memory/2776-98-0x000000007FDC0000-0x000000007FDD0000-memory.dmpFilesize
64KB
-
memory/2776-99-0x00000000704C0000-0x000000007050C000-memory.dmpFilesize
304KB
-
memory/2776-100-0x0000000070640000-0x0000000070997000-memory.dmpFilesize
3.3MB
-
memory/2776-86-0x0000000074250000-0x0000000074A01000-memory.dmpFilesize
7.7MB
-
memory/2776-88-0x0000000005050000-0x0000000005060000-memory.dmpFilesize
64KB
-
memory/2776-87-0x0000000005050000-0x0000000005060000-memory.dmpFilesize
64KB
-
memory/2776-109-0x0000000005050000-0x0000000005060000-memory.dmpFilesize
64KB
-
memory/3056-1-0x0000000003D40000-0x000000000413C000-memory.dmpFilesize
4.0MB
-
memory/3056-66-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/3056-3-0x0000000000400000-0x0000000001DF8000-memory.dmpFilesize
26.0MB
-
memory/3056-2-0x0000000004140000-0x0000000004A2B000-memory.dmpFilesize
8.9MB
-
memory/3056-51-0x0000000003D40000-0x000000000413C000-memory.dmpFilesize
4.0MB