Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
21-04-2024 20:44
General
-
Target
e60638108fdda71ec90896ee9dd17fccbbacfc09e418e6a7c093d8c4c224a112.exe
-
Size
4.1MB
-
MD5
4ed905b1e21cb928b266ddba4d8c0880
-
SHA1
36bee9a6f35b92fa47b8e9c1379240b7491adaee
-
SHA256
e60638108fdda71ec90896ee9dd17fccbbacfc09e418e6a7c093d8c4c224a112
-
SHA512
e2242ae8d1af119396d3f1746cba241fbc8fcd5692267edda35d23668f5763f5e08ed3de84050f579cacf1b009153a8902befb56c6aac132afd4dc84a24849d6
-
SSDEEP
98304:owsyYpLI30hNm0X97sfQhuFOzbEeYixTYaktM3XAOoYGnm0lEI:ullzc0tsfv+41ixUfgAfRVT
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 18 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e60638108fdda71ec90896ee9dd17fccbbacfc09e418e6a7c093d8c4c224a112.exe"C:\Users\Admin\AppData\Local\Temp\e60638108fdda71ec90896ee9dd17fccbbacfc09e418e6a7c093d8c4c224a112.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\e60638108fdda71ec90896ee9dd17fccbbacfc09e418e6a7c093d8c4c224a112.exe"C:\Users\Admin\AppData\Local\Temp\e60638108fdda71ec90896ee9dd17fccbbacfc09e418e6a7c093d8c4c224a112.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e1db3ssz.t3w.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5b1639f5938851f1d8e16837313d698a3
SHA134a98dfee432b4c07e7104b77ff4acdac2995add
SHA2560d428acf31f11150b8567613620b243e1c107d5a0435512e79e3c1fd669c5bff
SHA512be8fd3af4097c99ea7fc840ae34adc7351c5ed74ac099feb92706bf58ca53bc56b4e86686b98a862cdd0ebd30f4334fda35fe755b0f813a5bf4633a2188807cb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD557a60d6aa0fa475a63009e2e7cb0ca87
SHA10f64e0c531817d97814a20eb16b44588b6845b4a
SHA256916cb6bed4904a4f58cfba55ccf1199cda732cc2dd7232e2b72a814cc22a90bf
SHA5124a74872d9846eb540b2cc1b57f6545ef14ef72f5b975a10de428643e6f8bb47f505352d7614dbf81a072ce41501e6660d0288764fda5601c2660c42b08ae2b49
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5ae5ddf51ac403b1b743d88468eea2e98
SHA1f678cb9423ed639edef6dbe5fb99e7bf87290c33
SHA256f7cb31ea7014f21914059a77fb8eb2c25136b4ddf7b246b7d22d0873529d2bca
SHA512394f21ec6e50a5a6f7234a16e7203e15bb0de5434a8ab46f5bb6ada2d8f78c4114499307d8a94e3c56304d07dc47e29788577ed07d16e7b8a456e87b2569747c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD50cb6d422a6fc25871ab4c757bf1cfab6
SHA1309e79c541bc2fef9ed3a2dac2e933706bb93c92
SHA25629d1f70dac363a1e000f93e4668f50e64d5b5d103e4e301d62fdcdd51c702e0f
SHA512d43e1092dc759fa05cfc7f20de04061fbc11d5211ae3ca5b22129e47876446dff30f5dac6211b04857147e06bd4d8d45f3e2018698cf7e5eb875399fcc791855
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5545c4fb844469ebb50ed199754d2d0e6
SHA17625e68ea3fe7a9f95dcc55ad09bf6b92155b3c4
SHA256cc8130ba522b7fc3ff71085212617de00a587316515f9b9ccc2e85e574634554
SHA512de1c72eaf9d719194cffaf76a00a706c19f8996c87dc92c3a72b4fcfc12d99e2471e88e47e35b3f7f277a8ac414c84d0f64b8db18ad4c6c81a38a3482633004d
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD54ed905b1e21cb928b266ddba4d8c0880
SHA136bee9a6f35b92fa47b8e9c1379240b7491adaee
SHA256e60638108fdda71ec90896ee9dd17fccbbacfc09e418e6a7c093d8c4c224a112
SHA512e2242ae8d1af119396d3f1746cba241fbc8fcd5692267edda35d23668f5763f5e08ed3de84050f579cacf1b009153a8902befb56c6aac132afd4dc84a24849d6
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/368-109-0x00000000710D0000-0x0000000071424000-memory.dmpFilesize
3.3MB
-
memory/368-94-0x00000000030F0000-0x0000000003100000-memory.dmpFilesize
64KB
-
memory/368-121-0x0000000074A40000-0x00000000751F0000-memory.dmpFilesize
7.7MB
-
memory/368-95-0x00000000030F0000-0x0000000003100000-memory.dmpFilesize
64KB
-
memory/368-119-0x00000000030F0000-0x0000000003100000-memory.dmpFilesize
64KB
-
memory/368-93-0x0000000074A40000-0x00000000751F0000-memory.dmpFilesize
7.7MB
-
memory/368-96-0x0000000005F20000-0x0000000006274000-memory.dmpFilesize
3.3MB
-
memory/368-108-0x0000000070940000-0x000000007098C000-memory.dmpFilesize
304KB
-
memory/368-107-0x000000007F3F0000-0x000000007F400000-memory.dmpFilesize
64KB
-
memory/2120-57-0x0000000006490000-0x0000000006D7B000-memory.dmpFilesize
8.9MB
-
memory/2120-55-0x0000000006080000-0x0000000006486000-memory.dmpFilesize
4.0MB
-
memory/2120-134-0x0000000006080000-0x0000000006486000-memory.dmpFilesize
4.0MB
-
memory/2120-156-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/2736-278-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/2736-286-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/2736-302-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/2736-299-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/2736-296-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/2736-259-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/2736-293-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/2736-290-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/2736-284-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/2736-269-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/2736-281-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/2736-272-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/2736-275-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/3032-122-0x0000000074A40000-0x00000000751F0000-memory.dmpFilesize
7.7MB
-
memory/3032-123-0x0000000002D70000-0x0000000002D80000-memory.dmpFilesize
64KB
-
memory/3032-135-0x0000000070940000-0x000000007098C000-memory.dmpFilesize
304KB
-
memory/3032-137-0x000000007FB30000-0x000000007FB40000-memory.dmpFilesize
64KB
-
memory/3032-136-0x00000000710D0000-0x0000000071424000-memory.dmpFilesize
3.3MB
-
memory/3268-56-0x00000000066C0000-0x0000000006FAB000-memory.dmpFilesize
8.9MB
-
memory/3268-53-0x0000000000400000-0x0000000004417000-memory.dmpFilesize
64.1MB
-
memory/3268-1-0x00000000062B0000-0x00000000066B7000-memory.dmpFilesize
4.0MB
-
memory/3268-2-0x00000000066C0000-0x0000000006FAB000-memory.dmpFilesize
8.9MB
-
memory/3460-267-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3848-42-0x0000000007A10000-0x0000000007AB3000-memory.dmpFilesize
652KB
-
memory/3848-22-0x0000000006470000-0x00000000064BC000-memory.dmpFilesize
304KB
-
memory/3848-4-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/3848-3-0x0000000002E50000-0x0000000002E86000-memory.dmpFilesize
216KB
-
memory/3848-5-0x0000000002E40000-0x0000000002E50000-memory.dmpFilesize
64KB
-
memory/3848-6-0x0000000002E40000-0x0000000002E50000-memory.dmpFilesize
64KB
-
memory/3848-7-0x0000000005560000-0x0000000005B88000-memory.dmpFilesize
6.2MB
-
memory/3848-8-0x00000000054A0000-0x00000000054C2000-memory.dmpFilesize
136KB
-
memory/3848-9-0x0000000005D40000-0x0000000005DA6000-memory.dmpFilesize
408KB
-
memory/3848-15-0x0000000005DB0000-0x0000000005E16000-memory.dmpFilesize
408KB
-
memory/3848-20-0x0000000005E20000-0x0000000006174000-memory.dmpFilesize
3.3MB
-
memory/3848-21-0x0000000006420000-0x000000000643E000-memory.dmpFilesize
120KB
-
memory/3848-23-0x0000000006980000-0x00000000069C4000-memory.dmpFilesize
272KB
-
memory/3848-24-0x0000000007550000-0x00000000075C6000-memory.dmpFilesize
472KB
-
memory/3848-25-0x0000000007E80000-0x00000000084FA000-memory.dmpFilesize
6.5MB
-
memory/3848-52-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/3848-49-0x0000000007BA0000-0x0000000007BA8000-memory.dmpFilesize
32KB
-
memory/3848-48-0x0000000007C60000-0x0000000007C7A000-memory.dmpFilesize
104KB
-
memory/3848-47-0x0000000007B70000-0x0000000007B84000-memory.dmpFilesize
80KB
-
memory/3848-46-0x0000000007B60000-0x0000000007B6E000-memory.dmpFilesize
56KB
-
memory/3848-45-0x0000000007B20000-0x0000000007B31000-memory.dmpFilesize
68KB
-
memory/3848-44-0x0000000007BC0000-0x0000000007C56000-memory.dmpFilesize
600KB
-
memory/3848-43-0x0000000007B00000-0x0000000007B0A000-memory.dmpFilesize
40KB
-
memory/3848-41-0x0000000002E40000-0x0000000002E50000-memory.dmpFilesize
64KB
-
memory/3848-40-0x00000000079F0000-0x0000000007A0E000-memory.dmpFilesize
120KB
-
memory/3848-30-0x00000000709C0000-0x0000000070D14000-memory.dmpFilesize
3.3MB
-
memory/3848-29-0x0000000070840000-0x000000007088C000-memory.dmpFilesize
304KB
-
memory/3848-27-0x00000000079B0000-0x00000000079E2000-memory.dmpFilesize
200KB
-
memory/3848-28-0x000000007F110000-0x000000007F120000-memory.dmpFilesize
64KB
-
memory/3848-26-0x0000000007800000-0x000000000781A000-memory.dmpFilesize
104KB
-
memory/4100-72-0x000000007F050000-0x000000007F060000-memory.dmpFilesize
64KB
-
memory/4100-74-0x0000000070AC0000-0x0000000070E14000-memory.dmpFilesize
3.3MB
-
memory/4100-60-0x0000000002FE0000-0x0000000002FF0000-memory.dmpFilesize
64KB
-
memory/4100-87-0x0000000007EB0000-0x0000000007EC1000-memory.dmpFilesize
68KB
-
memory/4100-58-0x0000000074A40000-0x00000000751F0000-memory.dmpFilesize
7.7MB
-
memory/4100-70-0x00000000064A0000-0x00000000067F4000-memory.dmpFilesize
3.3MB
-
memory/4100-59-0x0000000002FE0000-0x0000000002FF0000-memory.dmpFilesize
64KB
-
memory/4100-88-0x0000000007F00000-0x0000000007F14000-memory.dmpFilesize
80KB
-
memory/4100-84-0x0000000002FE0000-0x0000000002FF0000-memory.dmpFilesize
64KB
-
memory/4100-73-0x0000000070940000-0x000000007098C000-memory.dmpFilesize
304KB
-
memory/4100-71-0x0000000006F30000-0x0000000006F7C000-memory.dmpFilesize
304KB
-
memory/4100-85-0x0000000007990000-0x0000000007A33000-memory.dmpFilesize
652KB
-
memory/4100-86-0x0000000002FE0000-0x0000000002FF0000-memory.dmpFilesize
64KB
-
memory/4100-91-0x0000000074A40000-0x00000000751F0000-memory.dmpFilesize
7.7MB
-
memory/4316-276-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4316-270-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB