Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
21-04-2024 11:07
General
-
Target
52096564166fb991b652502a95dce1d0e73774361b004786b5a37b5eedd77b30.exe
-
Size
4.1MB
-
MD5
16eb18d58e16a643015c1acfae027309
-
SHA1
5413c8ccb44ccfade4159b3f0b034eccfd248f81
-
SHA256
52096564166fb991b652502a95dce1d0e73774361b004786b5a37b5eedd77b30
-
SHA512
48d125678c732268f06e745a28e8d491d30f18f9afa19b398ccf14f1a84c4e5074fd25c632856d1f55e020c0f412e1e85fcb95701a0cd8f9b8c78ceabc93a95c
-
SSDEEP
98304:Kb4JZ188yFg2NHKKQqaBHENhLOMTEbJ8tA7UUJu481DBG4:ZBdQ1naH+hM1NF8W4
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 20 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\52096564166fb991b652502a95dce1d0e73774361b004786b5a37b5eedd77b30.exe"C:\Users\Admin\AppData\Local\Temp\52096564166fb991b652502a95dce1d0e73774361b004786b5a37b5eedd77b30.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\52096564166fb991b652502a95dce1d0e73774361b004786b5a37b5eedd77b30.exe"C:\Users\Admin\AppData\Local\Temp\52096564166fb991b652502a95dce1d0e73774361b004786b5a37b5eedd77b30.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yyzomcik.4sb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5a6fa91ba7d715792a4dfa5b0523ebc57
SHA1091370ce8ddb10bf0e58cf6147dc53f9e0cd4e5b
SHA256b74fd932b385430761dc55cb645f6bb8172e174f6469ae808bf0bbf93dc6a1b4
SHA51273618f5117755c559bb07ee6fcf47c2b3a54db7b4f6e7ba3835823453297d3f04122946a9fdb281b2cd6ef7de381447157f1bbd760a29d81ec8b4f4655e20a52
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD515b40b3650adeb080348e2c1ef54b771
SHA11116ef1f35c7bc445282046a17f3390e43189598
SHA2568e58d8b487047af22a64303bdcdc910042c4c3e62c31245ee6def36674c67d67
SHA512259828d3751bedb7e3e248a3b41886b12270d8128e190d4a739244f1b03357260acb20ab998cef7e34ab26c86a46b662230cc3381fa3c6586f9dabc231b69398
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD54d00e23e49d743392680abfbc62d6f38
SHA1fc9c6227797e89e06d16feaa17ec18d26d71352a
SHA2561a229eb183b18e79db8f72a6fbfc02d30765dde38ff9386e965dbb3c9406a696
SHA51233d91e680ff274c7c9bb85962bce95549909787fd00536697afdc7f26b31c2c4376c13c611708ad1efd8779fe5563dda3102d4248759a46c0c8798af698fe804
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD519365b73a19a1b99eaa7695d9b5f19f7
SHA111b4fc2d10a32980122ed817e692a15f9a04a88d
SHA256e26460e4b3288f2b663b01d53743a20bc09cbf1482df93c424b0992ad638059d
SHA5121f2a973f153580bf413ce0ad4434867aabd63acdef85798cb540c4fb53edaa93acd63d2d44164c61933c96cbf26cadb006f0c21c87d2788bca154ca47bc4a154
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5f77e3bdaca024308647fdf3a9376c73c
SHA1e316a0ff5dd0740a48ad1a3dbaacf32c28686a9f
SHA2560f1cef8bfdaf5835851cc44ba6c6db21f48cbad5aac3b9d067209624cd8145e1
SHA512af7fb523a5650a704dbaa4b23324590c84a4153a56e8b32dd887450bb077446249d58ca229df318115f19f94900278118d7396eb6d3f31d2a342e82e9e3236dc
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD516eb18d58e16a643015c1acfae027309
SHA15413c8ccb44ccfade4159b3f0b034eccfd248f81
SHA25652096564166fb991b652502a95dce1d0e73774361b004786b5a37b5eedd77b30
SHA51248d125678c732268f06e745a28e8d491d30f18f9afa19b398ccf14f1a84c4e5074fd25c632856d1f55e020c0f412e1e85fcb95701a0cd8f9b8c78ceabc93a95c
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/336-253-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/336-259-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/336-267-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/472-3-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/472-54-0x0000000003C80000-0x0000000004086000-memory.dmpFilesize
4.0MB
-
memory/472-78-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/472-1-0x0000000003C80000-0x0000000004086000-memory.dmpFilesize
4.0MB
-
memory/472-2-0x0000000004090000-0x000000000497B000-memory.dmpFilesize
8.9MB
-
memory/580-138-0x000000007FD00000-0x000000007FD10000-memory.dmpFilesize
64KB
-
memory/580-114-0x0000000074150000-0x0000000074901000-memory.dmpFilesize
7.7MB
-
memory/580-116-0x00000000029D0000-0x00000000029E0000-memory.dmpFilesize
64KB
-
memory/580-117-0x00000000029D0000-0x00000000029E0000-memory.dmpFilesize
64KB
-
memory/580-128-0x0000000070540000-0x0000000070897000-memory.dmpFilesize
3.3MB
-
memory/580-127-0x00000000703C0000-0x000000007040C000-memory.dmpFilesize
304KB
-
memory/652-81-0x0000000007010000-0x0000000007025000-memory.dmpFilesize
84KB
-
memory/652-55-0x0000000074150000-0x0000000074901000-memory.dmpFilesize
7.7MB
-
memory/652-84-0x0000000074150000-0x0000000074901000-memory.dmpFilesize
7.7MB
-
memory/652-80-0x0000000006FC0000-0x0000000006FD1000-memory.dmpFilesize
68KB
-
memory/652-79-0x0000000004750000-0x0000000004760000-memory.dmpFilesize
64KB
-
memory/652-77-0x0000000006CC0000-0x0000000006D64000-memory.dmpFilesize
656KB
-
memory/652-68-0x0000000070540000-0x0000000070897000-memory.dmpFilesize
3.3MB
-
memory/652-66-0x00000000703C0000-0x000000007040C000-memory.dmpFilesize
304KB
-
memory/652-67-0x000000007F740000-0x000000007F750000-memory.dmpFilesize
64KB
-
memory/652-57-0x0000000004750000-0x0000000004760000-memory.dmpFilesize
64KB
-
memory/652-56-0x0000000004750000-0x0000000004760000-memory.dmpFilesize
64KB
-
memory/2804-249-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3092-7-0x00000000058C0000-0x00000000058D0000-memory.dmpFilesize
64KB
-
memory/3092-42-0x0000000007FB0000-0x0000000007FC1000-memory.dmpFilesize
68KB
-
memory/3092-4-0x0000000074150000-0x0000000074901000-memory.dmpFilesize
7.7MB
-
memory/3092-6-0x00000000058C0000-0x00000000058D0000-memory.dmpFilesize
64KB
-
memory/3092-5-0x00000000034B0000-0x00000000034E6000-memory.dmpFilesize
216KB
-
memory/3092-49-0x0000000074150000-0x0000000074901000-memory.dmpFilesize
7.7MB
-
memory/3092-46-0x0000000008040000-0x0000000008048000-memory.dmpFilesize
32KB
-
memory/3092-39-0x0000000007F50000-0x0000000007F6A000-memory.dmpFilesize
104KB
-
memory/3092-45-0x0000000008060000-0x000000000807A000-memory.dmpFilesize
104KB
-
memory/3092-44-0x0000000008010000-0x0000000008025000-memory.dmpFilesize
84KB
-
memory/3092-38-0x0000000008590000-0x0000000008C0A000-memory.dmpFilesize
6.5MB
-
memory/3092-43-0x0000000008000000-0x000000000800E000-memory.dmpFilesize
56KB
-
memory/3092-37-0x0000000007E20000-0x0000000007EC4000-memory.dmpFilesize
656KB
-
memory/3092-40-0x0000000007F90000-0x0000000007F9A000-memory.dmpFilesize
40KB
-
memory/3092-8-0x0000000005F00000-0x000000000652A000-memory.dmpFilesize
6.2MB
-
memory/3092-41-0x00000000080A0000-0x0000000008136000-memory.dmpFilesize
600KB
-
memory/3092-9-0x0000000005BF0000-0x0000000005C12000-memory.dmpFilesize
136KB
-
memory/3092-36-0x0000000007E00000-0x0000000007E1E000-memory.dmpFilesize
120KB
-
memory/3092-10-0x0000000005DA0000-0x0000000005E06000-memory.dmpFilesize
408KB
-
memory/3092-11-0x0000000005E10000-0x0000000005E76000-memory.dmpFilesize
408KB
-
memory/3092-20-0x0000000006530000-0x0000000006887000-memory.dmpFilesize
3.3MB
-
memory/3092-21-0x0000000006980000-0x000000000699E000-memory.dmpFilesize
120KB
-
memory/3092-22-0x0000000006A40000-0x0000000006A8C000-memory.dmpFilesize
304KB
-
memory/3092-27-0x0000000070540000-0x0000000070897000-memory.dmpFilesize
3.3MB
-
memory/3092-23-0x0000000006F00000-0x0000000006F46000-memory.dmpFilesize
280KB
-
memory/3092-26-0x00000000703C0000-0x000000007040C000-memory.dmpFilesize
304KB
-
memory/3092-25-0x0000000007DA0000-0x0000000007DD4000-memory.dmpFilesize
208KB
-
memory/3092-24-0x000000007EF70000-0x000000007EF80000-memory.dmpFilesize
64KB
-
memory/4864-115-0x0000000003C20000-0x000000000401A000-memory.dmpFilesize
4.0MB
-
memory/4864-53-0x0000000004020000-0x000000000490B000-memory.dmpFilesize
8.9MB
-
memory/4864-137-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4864-52-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4864-51-0x0000000003C20000-0x000000000401A000-memory.dmpFilesize
4.0MB
-
memory/4864-146-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5004-252-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5004-268-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5004-282-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5004-279-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5004-240-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5004-276-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5004-273-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5004-250-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5004-270-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5004-264-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5004-255-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5004-258-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5004-261-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/5024-111-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB
-
memory/5024-102-0x0000000070D00000-0x0000000071057000-memory.dmpFilesize
3.3MB
-
memory/5024-113-0x0000000074150000-0x0000000074901000-memory.dmpFilesize
7.7MB
-
memory/5024-100-0x000000007F930000-0x000000007F940000-memory.dmpFilesize
64KB
-
memory/5024-101-0x00000000703C0000-0x000000007040C000-memory.dmpFilesize
304KB
-
memory/5024-86-0x0000000074150000-0x0000000074901000-memory.dmpFilesize
7.7MB
-
memory/5024-88-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB
-
memory/5024-89-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB
-
memory/5024-98-0x00000000059F0000-0x0000000005D47000-memory.dmpFilesize
3.3MB