Analysis
-
max time kernel
13s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
23-04-2024 09:15
General
-
Target
7aadea0ffd201893fd0c6984008d2e005018aca687175f549ffa18d89f0473c8.exe
-
Size
4.2MB
-
MD5
a84dce9a95eeedaf7ccc348b0e88ffc6
-
SHA1
fe9d11d7233e39069c96827e3c7ba063dad8daee
-
SHA256
7aadea0ffd201893fd0c6984008d2e005018aca687175f549ffa18d89f0473c8
-
SHA512
fb83e13702e4d61450e615be18cdb1dce02520b595bcaf12fbbae057203ac48646b21dea59dd201f56b1c8adac0f3689e257d05834555a0746f039c4851aef73
-
SSDEEP
98304:CQN9zSKVNFzRCmd+S43cfxiJtNQ15bXu+MABfSPDEeLX1+Kw3YL/t3U:tTWsFQmkSqeYdK5bXuOBmD/txFE
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 17 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7aadea0ffd201893fd0c6984008d2e005018aca687175f549ffa18d89f0473c8.exe"C:\Users\Admin\AppData\Local\Temp\7aadea0ffd201893fd0c6984008d2e005018aca687175f549ffa18d89f0473c8.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7aadea0ffd201893fd0c6984008d2e005018aca687175f549ffa18d89f0473c8.exe"C:\Users\Admin\AppData\Local\Temp\7aadea0ffd201893fd0c6984008d2e005018aca687175f549ffa18d89f0473c8.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 9523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4248 -ip 42481⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qb5yslt.oxr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5ab47d520b36813c1ff1dec167a5e193f
SHA150afa013d916ab55754674ac035d4800fd19d7f7
SHA2564d5c0a6b329a2a001bd3190cdf7836dc51de4f5bc834c7e33219d2e4fb021d59
SHA512efc2dc3a954ce7c6409609819014e6053c5ccab6391abe6052e94cfd89032550ade01d90623a6c66a9cdada85e6995880eff9957339acf25391cf2e4f7d35c95
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD59f9a2e348e4b97c91e51375c7556ac03
SHA1e3fa8142aa3dea1e4caba09829d3f87b4e609ea6
SHA256d991607a0fc2eac9c4025aae5d5098a61f5030022886b1d47a31706aa5277156
SHA51255814f2dddab51fbaef7439c88b87e84d6257b4b6de22f31f1f3fabc72db3ac816a534a4ff12a5755763657d50ad92d1bd3a93bfae1085f92814001c939ce6f1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD57701e3a187fe14882ee1d6e564a08366
SHA155c9f5389c17b25a28a422cb3b5d4c822301ae84
SHA256112269108a621c9ef56621e0be870112970185fa037d89ce2c7ee0d91b136bbb
SHA512ae6bf080fde41daa3e698c9604519340daf92478ab6bff6a200a42f1ef361d911672b9639322748dbf3163fe927a696b0c4c23cf8aa243b2c443f4fabedf1124
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5c7666709f170b3f7c7374f354f514f5f
SHA17f1f22187107b505d94205cbe44ccea526ec8faf
SHA256d0cdbca2abf4901abace1d9e09c5fb91d9eb236dd403c4167c491e54905b595e
SHA512b26b3e224b6b87e0cbd217b0ea969258db3b4805831a95e94981e82b6d2da6c259778d161bf83ebaa5e67bbb18b7eed88055f2e6e76224da398c378ab7dba01d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5af0b49910509195531d6472f4590e0e3
SHA1a4bbccd72f39bd268f21312ac998b7b85bc41696
SHA25604e2013942833048bc06b7974638820d584fd88a66655e9423c5c5b1972e86c6
SHA512be4978be840972ac8d339f709cf63140801f54a9a1f3376afb7952a96cd63ad207bf8097ef3bc13b076d0222eb5f4fa53d985429f778b3a9591fc7672dbcbd7b
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD5a84dce9a95eeedaf7ccc348b0e88ffc6
SHA1fe9d11d7233e39069c96827e3c7ba063dad8daee
SHA2567aadea0ffd201893fd0c6984008d2e005018aca687175f549ffa18d89f0473c8
SHA512fb83e13702e4d61450e615be18cdb1dce02520b595bcaf12fbbae057203ac48646b21dea59dd201f56b1c8adac0f3689e257d05834555a0746f039c4851aef73
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/1624-85-0x0000000007840000-0x00000000078E3000-memory.dmpFilesize
652KB
-
memory/1624-90-0x0000000074920000-0x00000000750D0000-memory.dmpFilesize
7.7MB
-
memory/1624-87-0x0000000007DC0000-0x0000000007DD4000-memory.dmpFilesize
80KB
-
memory/1624-86-0x0000000007D70000-0x0000000007D81000-memory.dmpFilesize
68KB
-
memory/1624-58-0x0000000074920000-0x00000000750D0000-memory.dmpFilesize
7.7MB
-
memory/1624-84-0x0000000003250000-0x0000000003260000-memory.dmpFilesize
64KB
-
memory/1624-74-0x0000000070FB0000-0x0000000071304000-memory.dmpFilesize
3.3MB
-
memory/1624-72-0x000000007F610000-0x000000007F620000-memory.dmpFilesize
64KB
-
memory/1624-73-0x0000000070820000-0x000000007086C000-memory.dmpFilesize
304KB
-
memory/1624-71-0x0000000006840000-0x000000000688C000-memory.dmpFilesize
304KB
-
memory/1624-61-0x0000000006220000-0x0000000006574000-memory.dmpFilesize
3.3MB
-
memory/1624-60-0x0000000003250000-0x0000000003260000-memory.dmpFilesize
64KB
-
memory/1624-59-0x0000000003250000-0x0000000003260000-memory.dmpFilesize
64KB
-
memory/2112-41-0x0000000007140000-0x000000000715E000-memory.dmpFilesize
120KB
-
memory/2112-27-0x000000007F660000-0x000000007F670000-memory.dmpFilesize
64KB
-
memory/2112-43-0x0000000007250000-0x000000000725A000-memory.dmpFilesize
40KB
-
memory/2112-44-0x00000000046C0000-0x00000000046D0000-memory.dmpFilesize
64KB
-
memory/2112-45-0x0000000007310000-0x00000000073A6000-memory.dmpFilesize
600KB
-
memory/2112-46-0x0000000007270000-0x0000000007281000-memory.dmpFilesize
68KB
-
memory/2112-47-0x00000000072B0000-0x00000000072BE000-memory.dmpFilesize
56KB
-
memory/2112-48-0x00000000072C0000-0x00000000072D4000-memory.dmpFilesize
80KB
-
memory/2112-49-0x00000000073B0000-0x00000000073CA000-memory.dmpFilesize
104KB
-
memory/2112-50-0x00000000072F0000-0x00000000072F8000-memory.dmpFilesize
32KB
-
memory/2112-53-0x0000000074880000-0x0000000075030000-memory.dmpFilesize
7.7MB
-
memory/2112-7-0x0000000004D00000-0x0000000005328000-memory.dmpFilesize
6.2MB
-
memory/2112-6-0x00000000046C0000-0x00000000046D0000-memory.dmpFilesize
64KB
-
memory/2112-42-0x0000000007160000-0x0000000007203000-memory.dmpFilesize
652KB
-
memory/2112-4-0x00000000046C0000-0x00000000046D0000-memory.dmpFilesize
64KB
-
memory/2112-31-0x00000000046C0000-0x00000000046D0000-memory.dmpFilesize
64KB
-
memory/2112-30-0x00000000708A0000-0x0000000070BF4000-memory.dmpFilesize
3.3MB
-
memory/2112-29-0x0000000070720000-0x000000007076C000-memory.dmpFilesize
304KB
-
memory/2112-28-0x0000000007100000-0x0000000007132000-memory.dmpFilesize
200KB
-
memory/2112-8-0x0000000004CD0000-0x0000000004CF2000-memory.dmpFilesize
136KB
-
memory/2112-26-0x0000000006F40000-0x0000000006F5A000-memory.dmpFilesize
104KB
-
memory/2112-25-0x00000000075A0000-0x0000000007C1A000-memory.dmpFilesize
6.5MB
-
memory/2112-24-0x0000000006EA0000-0x0000000006F16000-memory.dmpFilesize
472KB
-
memory/2112-23-0x0000000005F90000-0x0000000005FD4000-memory.dmpFilesize
272KB
-
memory/2112-22-0x0000000005BD0000-0x0000000005C1C000-memory.dmpFilesize
304KB
-
memory/2112-21-0x0000000005B90000-0x0000000005BAE000-memory.dmpFilesize
120KB
-
memory/2112-20-0x00000000056F0000-0x0000000005A44000-memory.dmpFilesize
3.3MB
-
memory/2112-19-0x0000000005680000-0x00000000056E6000-memory.dmpFilesize
408KB
-
memory/2112-5-0x00000000045D0000-0x0000000004606000-memory.dmpFilesize
216KB
-
memory/2112-3-0x0000000074880000-0x0000000075030000-memory.dmpFilesize
7.7MB
-
memory/2112-9-0x00000000054A0000-0x0000000005506000-memory.dmpFilesize
408KB
-
memory/2236-265-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2236-269-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2896-2-0x0000000006690000-0x0000000006F7B000-memory.dmpFilesize
8.9MB
-
memory/2896-1-0x0000000004C70000-0x0000000005077000-memory.dmpFilesize
4.0MB
-
memory/2896-57-0x0000000006690000-0x0000000006F7B000-memory.dmpFilesize
8.9MB
-
memory/2896-54-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/3344-262-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3780-117-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/3780-92-0x0000000074920000-0x00000000750D0000-memory.dmpFilesize
7.7MB
-
memory/3780-94-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/3780-106-0x0000000070820000-0x000000007086C000-memory.dmpFilesize
304KB
-
memory/3780-105-0x000000007FB10000-0x000000007FB20000-memory.dmpFilesize
64KB
-
memory/3780-93-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/3780-107-0x0000000070FB0000-0x0000000071304000-memory.dmpFilesize
3.3MB
-
memory/3780-119-0x0000000074920000-0x00000000750D0000-memory.dmpFilesize
7.7MB
-
memory/4152-134-0x0000000070FB0000-0x0000000071304000-memory.dmpFilesize
3.3MB
-
memory/4152-120-0x0000000074920000-0x00000000750D0000-memory.dmpFilesize
7.7MB
-
memory/4152-147-0x0000000074920000-0x00000000750D0000-memory.dmpFilesize
7.7MB
-
memory/4152-145-0x00000000026E0000-0x00000000026F0000-memory.dmpFilesize
64KB
-
memory/4152-121-0x00000000026E0000-0x00000000026F0000-memory.dmpFilesize
64KB
-
memory/4152-132-0x000000007EF70000-0x000000007EF80000-memory.dmpFilesize
64KB
-
memory/4152-133-0x0000000070820000-0x000000007086C000-memory.dmpFilesize
304KB
-
memory/4248-144-0x0000000004890000-0x0000000004C92000-memory.dmpFilesize
4.0MB
-
memory/4248-56-0x0000000004890000-0x0000000004C92000-memory.dmpFilesize
4.0MB
-
memory/4248-154-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4648-253-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4648-258-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4648-264-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4648-254-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4648-266-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4648-268-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4648-252-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4648-270-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4648-272-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4648-274-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4648-276-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4648-278-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4648-280-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB