Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
21-04-2024 08:03
General
-
Target
1aac2b0f958040cd44eb4b367f1e7274e4b1d6f856bf38aafb1fc3037d3a115c.exe
-
Size
4.1MB
-
MD5
becfba310b971125892bcbc120e8434a
-
SHA1
23868832b367b6900c69fa103f50abad905c6851
-
SHA256
1aac2b0f958040cd44eb4b367f1e7274e4b1d6f856bf38aafb1fc3037d3a115c
-
SHA512
a18c42be2b23d82a340bc1a2db3f4904cfdac4138229eb2c517dba746eac060fb20df8ef6f7ea955b895e20e81ef3ea7243c7c546b609a69326400a6530004ea
-
SSDEEP
98304:b4qWg+YQzLmftPjRs7JtBhUiZv1ggcXutB8ev+3Whzr+:bWg+YEmQ7rBhUiZtgg2AB8elhzr+
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 17 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aac2b0f958040cd44eb4b367f1e7274e4b1d6f856bf38aafb1fc3037d3a115c.exe"C:\Users\Admin\AppData\Local\Temp\1aac2b0f958040cd44eb4b367f1e7274e4b1d6f856bf38aafb1fc3037d3a115c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1aac2b0f958040cd44eb4b367f1e7274e4b1d6f856bf38aafb1fc3037d3a115c.exe"C:\Users\Admin\AppData\Local\Temp\1aac2b0f958040cd44eb4b367f1e7274e4b1d6f856bf38aafb1fc3037d3a115c.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ujtnuuii.txm.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD53952f0bc44c40f7aa5b6c6fbb618817c
SHA16b0ce0f623da3b70f1b7105850fc674519b1af12
SHA25678766b3b849c3ed4440e7e98e48acf1a953b226c29ce6837c58f30a7fa071ccb
SHA512be5a6c24bfdac79486929d4aa789ebad64b2f6fef20f4872a1cc7a45a9d8dbc04caab67ce2afddeafdb7816cb5eb702e6a9d49fc7a2b3c1ca61ed7e06a53b4f7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD52d93ede270cfa0d8f1954fcd0cab6730
SHA1de43dd5e0f1add901d2133a917fa928fc18b36d7
SHA2560ab3b5db35dc6270c16aaece916790e448d77964615fc8804b3677932b56e162
SHA51250184c114daf673118c8698ab1c46dd55bc9814de21a9795be1a5f9cf98e33ab5121c1bbc48f0dc4cbb6fe3e032b380b3362dc92ddde4751c9c465554c4f0da3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5aabdde05532bc4454b6f6f9ef72717ff
SHA1d4e091154319db1a727cd328a3fd23effbb99026
SHA256803196bfa2bd1444a95590d52b7805ce6843baa4cce62b4c14af3971de370cde
SHA5124419b97f9c04fa370adae495b2d7e520ca9930ffa9544b016bcacf6112bcbdbd5bbbd7cee86532cb32d77a968ae722452d8782b8925798dd31623fe970b2945b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD528b461f71358ce10f0d8a39d6b4be5e9
SHA1d3f5751b95db2208cf0a5a7bb4c4a94b2a96efbf
SHA25664a56a78bd109e0a57ea09950b93e72326c60756acc82c1d1f61683e0db0cf2a
SHA512f54313d259168cf102fb37564d97540dd01d2c3a804a2264f1c53e9731f4484bb085fec4596dfa5e041d5299f0dfd55d1a63b2fe7a310b9683c582940517bc04
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD56e09efcc5ce32598c158472435b96aa1
SHA13b2e61ed0d8c479d6e7d758a9fbdf6edef40f44c
SHA256249b58337b197032bc02e0b173606e51da7d68e7ea7db2e16db3efd8329da240
SHA512eae023ce48b04c29877bd2b30674b090a576051b18de9f9dcedee20fed35c18203b3a530f65860f6a449e31a0ce5cde8eb67d39434d7bdd31080e3f33f46af33
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD5becfba310b971125892bcbc120e8434a
SHA123868832b367b6900c69fa103f50abad905c6851
SHA2561aac2b0f958040cd44eb4b367f1e7274e4b1d6f856bf38aafb1fc3037d3a115c
SHA512a18c42be2b23d82a340bc1a2db3f4904cfdac4138229eb2c517dba746eac060fb20df8ef6f7ea955b895e20e81ef3ea7243c7c546b609a69326400a6530004ea
-
memory/1280-74-0x0000000070B00000-0x0000000070E54000-memory.dmpFilesize
3.3MB
-
memory/1280-60-0x00000000048A0000-0x00000000048B0000-memory.dmpFilesize
64KB
-
memory/1280-71-0x00000000048A0000-0x00000000048B0000-memory.dmpFilesize
64KB
-
memory/1280-73-0x00000000703E0000-0x000000007042C000-memory.dmpFilesize
304KB
-
memory/1280-70-0x0000000005750000-0x0000000005AA4000-memory.dmpFilesize
3.3MB
-
memory/1280-59-0x0000000074540000-0x0000000074CF0000-memory.dmpFilesize
7.7MB
-
memory/1280-72-0x000000007F930000-0x000000007F940000-memory.dmpFilesize
64KB
-
memory/1280-86-0x00000000048A0000-0x00000000048B0000-memory.dmpFilesize
64KB
-
memory/1280-87-0x00000000072E0000-0x00000000072F1000-memory.dmpFilesize
68KB
-
memory/1280-88-0x0000000007330000-0x0000000007344000-memory.dmpFilesize
80KB
-
memory/1280-91-0x0000000074540000-0x0000000074CF0000-memory.dmpFilesize
7.7MB
-
memory/1280-84-0x0000000006DC0000-0x0000000006E63000-memory.dmpFilesize
652KB
-
memory/2172-55-0x0000000003A40000-0x0000000003E3E000-memory.dmpFilesize
4.0MB
-
memory/2172-228-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/2172-57-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/2172-119-0x0000000003A40000-0x0000000003E3E000-memory.dmpFilesize
4.0MB
-
memory/2332-257-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2548-1-0x0000000003B50000-0x0000000003F58000-memory.dmpFilesize
4.0MB
-
memory/2548-2-0x0000000003F60000-0x000000000484B000-memory.dmpFilesize
8.9MB
-
memory/2548-56-0x0000000003B50000-0x0000000003F58000-memory.dmpFilesize
4.0MB
-
memory/2548-3-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/2548-85-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/2548-58-0x0000000003F60000-0x000000000484B000-memory.dmpFilesize
8.9MB
-
memory/3024-122-0x0000000074540000-0x0000000074CF0000-memory.dmpFilesize
7.7MB
-
memory/3024-95-0x0000000002ED0000-0x0000000002EE0000-memory.dmpFilesize
64KB
-
memory/3024-94-0x0000000002ED0000-0x0000000002EE0000-memory.dmpFilesize
64KB
-
memory/3024-93-0x0000000074540000-0x0000000074CF0000-memory.dmpFilesize
7.7MB
-
memory/3024-105-0x0000000006350000-0x00000000066A4000-memory.dmpFilesize
3.3MB
-
memory/3024-109-0x0000000070B60000-0x0000000070EB4000-memory.dmpFilesize
3.3MB
-
memory/3024-120-0x0000000002ED0000-0x0000000002EE0000-memory.dmpFilesize
64KB
-
memory/3024-108-0x00000000703E0000-0x000000007042C000-memory.dmpFilesize
304KB
-
memory/3024-107-0x000000007F010000-0x000000007F020000-memory.dmpFilesize
64KB
-
memory/3700-41-0x00000000070F0000-0x000000000710E000-memory.dmpFilesize
120KB
-
memory/3700-26-0x0000000007550000-0x0000000007BCA000-memory.dmpFilesize
6.5MB
-
memory/3700-50-0x00000000072B0000-0x00000000072B8000-memory.dmpFilesize
32KB
-
memory/3700-49-0x0000000007360000-0x000000000737A000-memory.dmpFilesize
104KB
-
memory/3700-48-0x0000000007270000-0x0000000007284000-memory.dmpFilesize
80KB
-
memory/3700-47-0x0000000007260000-0x000000000726E000-memory.dmpFilesize
56KB
-
memory/3700-46-0x0000000007220000-0x0000000007231000-memory.dmpFilesize
68KB
-
memory/3700-45-0x00000000072C0000-0x0000000007356000-memory.dmpFilesize
600KB
-
memory/3700-44-0x0000000007200000-0x000000000720A000-memory.dmpFilesize
40KB
-
memory/3700-43-0x0000000007110000-0x00000000071B3000-memory.dmpFilesize
652KB
-
memory/3700-42-0x0000000000D30000-0x0000000000D40000-memory.dmpFilesize
64KB
-
memory/3700-31-0x0000000070560000-0x00000000708B4000-memory.dmpFilesize
3.3MB
-
memory/3700-29-0x00000000070B0000-0x00000000070E2000-memory.dmpFilesize
200KB
-
memory/3700-30-0x00000000703E0000-0x000000007042C000-memory.dmpFilesize
304KB
-
memory/3700-28-0x000000007FC80000-0x000000007FC90000-memory.dmpFilesize
64KB
-
memory/3700-4-0x0000000002570000-0x00000000025A6000-memory.dmpFilesize
216KB
-
memory/3700-27-0x0000000006EF0000-0x0000000006F0A000-memory.dmpFilesize
104KB
-
memory/3700-25-0x0000000006E50000-0x0000000006EC6000-memory.dmpFilesize
472KB
-
memory/3700-24-0x0000000006080000-0x00000000060C4000-memory.dmpFilesize
272KB
-
memory/3700-23-0x0000000005B50000-0x0000000005B9C000-memory.dmpFilesize
304KB
-
memory/3700-22-0x0000000005B10000-0x0000000005B2E000-memory.dmpFilesize
120KB
-
memory/3700-21-0x00000000054F0000-0x0000000005844000-memory.dmpFilesize
3.3MB
-
memory/3700-11-0x00000000053A0000-0x0000000005406000-memory.dmpFilesize
408KB
-
memory/3700-6-0x0000000000D30000-0x0000000000D40000-memory.dmpFilesize
64KB
-
memory/3700-7-0x0000000000D30000-0x0000000000D40000-memory.dmpFilesize
64KB
-
memory/3700-53-0x0000000074540000-0x0000000074CF0000-memory.dmpFilesize
7.7MB
-
memory/3700-10-0x0000000004BF0000-0x0000000004C56000-memory.dmpFilesize
408KB
-
memory/3700-5-0x0000000074540000-0x0000000074CF0000-memory.dmpFilesize
7.7MB
-
memory/3700-9-0x0000000004B50000-0x0000000004B72000-memory.dmpFilesize
136KB
-
memory/3700-8-0x0000000004C70000-0x0000000005298000-memory.dmpFilesize
6.2MB
-
memory/3968-272-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3968-300-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4020-269-0x0000000074D10000-0x0000000074D2D000-memory.dmpFilesize
116KB
-
memory/4020-344-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4020-248-0x0000000074D70000-0x0000000074D8D000-memory.dmpFilesize
116KB
-
memory/4020-392-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4020-260-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4020-244-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4020-372-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4020-274-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4020-288-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4020-358-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4020-302-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4020-316-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4020-330-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4384-123-0x0000000074540000-0x0000000074CF0000-memory.dmpFilesize
7.7MB
-
memory/4384-124-0x0000000002600000-0x0000000002610000-memory.dmpFilesize
64KB
-
memory/4384-125-0x0000000002600000-0x0000000002610000-memory.dmpFilesize
64KB
-
memory/4384-137-0x00000000703E0000-0x000000007042C000-memory.dmpFilesize
304KB