Analysis
-
max time kernel
12s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
23-04-2024 09:15
General
-
Target
7aadea0ffd201893fd0c6984008d2e005018aca687175f549ffa18d89f0473c8.exe
-
Size
4.2MB
-
MD5
a84dce9a95eeedaf7ccc348b0e88ffc6
-
SHA1
fe9d11d7233e39069c96827e3c7ba063dad8daee
-
SHA256
7aadea0ffd201893fd0c6984008d2e005018aca687175f549ffa18d89f0473c8
-
SHA512
fb83e13702e4d61450e615be18cdb1dce02520b595bcaf12fbbae057203ac48646b21dea59dd201f56b1c8adac0f3689e257d05834555a0746f039c4851aef73
-
SSDEEP
98304:CQN9zSKVNFzRCmd+S43cfxiJtNQ15bXu+MABfSPDEeLX1+Kw3YL/t3U:tTWsFQmkSqeYdK5bXuOBmD/txFE
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 17 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 3 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7aadea0ffd201893fd0c6984008d2e005018aca687175f549ffa18d89f0473c8.exe"C:\Users\Admin\AppData\Local\Temp\7aadea0ffd201893fd0c6984008d2e005018aca687175f549ffa18d89f0473c8.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7aadea0ffd201893fd0c6984008d2e005018aca687175f549ffa18d89f0473c8.exe"C:\Users\Admin\AppData\Local\Temp\7aadea0ffd201893fd0c6984008d2e005018aca687175f549ffa18d89f0473c8.exe"2⤵
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 6323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2172 -ip 21721⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c31xzte2.k0c.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5181d64539cd861b0b37747a1477de488
SHA1df3b8f426393d94f185e3bdceef5eb3c1c064fcf
SHA25672876052c30d68c627192b11ad8f44c091e7d861b56867ca03e66cebcd6eb1ca
SHA512cbbbd4a3a7415d363fb6b527dd6bbde2d6750c118e0bdc28067b3243007c53413dbde1970dfa320fc609012ce8d62fe32388cffbbcef6fb45555eb473e27b316
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5b5097da8e4249120c5589b2958f64d0f
SHA122fc44b158a8b3c397f3de1ec6cdc44bb8958bb9
SHA25652b9eb926432af58341770d5f30fe38eb993538ff96e76f4e064034f8d0d6a37
SHA5124850d1728e5e4feee3a033ceed057b9848f51fce4e6459f9cc17537534a53c2304bbfe10c787ca98239dc6cf09e93ad3d9bd9dc837929cc99cc99bf7e888d9a0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD58d38bdae78d896ecd51828f407de707c
SHA1b38f843d26bb01b260d9bf62c5918ecf705f753a
SHA25655973ca061f80e4b61baa9b7d09dfee1b8d565f2e3a89a22975b9899c11b8898
SHA5122c1b5ca1fd326d09ddb6fcf0a7c51b381bb925152ea1068a39deab4fc2d52bfc5d1726500cb84ee0f97cb7aaebc45c68722f7b92bb7ed78d6e5d1a78ba0524bf
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5d4d863bed12899cbdf263db915e9a97b
SHA18447b1159c15bf3f4f2d6a473418716a368392af
SHA256a5c658808baeaaeae35a79961cf63d39e31ab3fda055e975243cf8bd46fd33d0
SHA512226533458e7c682be7c5c28f960f610de2a09f294b671650a60579565ccc30e9dc8cd7d7ce83fd671f6941f8cd36e0554dcfc5d7e206f583c12397de4ef4b969
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD54ef0b91a4018fc787cb567d1b15fd15f
SHA1a9c5c0d24d208b9a99ef9b5f5d065c15570dd787
SHA256ce354994fcc0962700357eb36f0a911af6a41f1b1c1c4420f6a6cb413287591d
SHA512b9996dc5d4d05f9ed058047cac5ccb97ac7a7f290f87b80e3faed6fef0ccdde5ac0e09a03ecafd496f026f5d1b812ceb4fb27d339a2e63d1614d943b80d5bf1b
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD5a84dce9a95eeedaf7ccc348b0e88ffc6
SHA1fe9d11d7233e39069c96827e3c7ba063dad8daee
SHA2567aadea0ffd201893fd0c6984008d2e005018aca687175f549ffa18d89f0473c8
SHA512fb83e13702e4d61450e615be18cdb1dce02520b595bcaf12fbbae057203ac48646b21dea59dd201f56b1c8adac0f3689e257d05834555a0746f039c4851aef73
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/816-26-0x0000000070540000-0x0000000070897000-memory.dmpFilesize
3.3MB
-
memory/816-41-0x0000000007390000-0x0000000007426000-memory.dmpFilesize
600KB
-
memory/816-20-0x0000000005C80000-0x0000000005C9E000-memory.dmpFilesize
120KB
-
memory/816-21-0x0000000005CD0000-0x0000000005D1C000-memory.dmpFilesize
304KB
-
memory/816-22-0x0000000006210000-0x0000000006256000-memory.dmpFilesize
280KB
-
memory/816-24-0x00000000070C0000-0x00000000070F4000-memory.dmpFilesize
208KB
-
memory/816-23-0x000000007FE20000-0x000000007FE30000-memory.dmpFilesize
64KB
-
memory/816-25-0x00000000703C0000-0x000000007040C000-memory.dmpFilesize
304KB
-
memory/816-10-0x0000000005770000-0x00000000057D6000-memory.dmpFilesize
408KB
-
memory/816-35-0x0000000007100000-0x000000000711E000-memory.dmpFilesize
120KB
-
memory/816-36-0x0000000002A30000-0x0000000002A40000-memory.dmpFilesize
64KB
-
memory/816-37-0x0000000007120000-0x00000000071C4000-memory.dmpFilesize
656KB
-
memory/816-38-0x0000000007880000-0x0000000007EFA000-memory.dmpFilesize
6.5MB
-
memory/816-39-0x0000000007240000-0x000000000725A000-memory.dmpFilesize
104KB
-
memory/816-40-0x0000000007280000-0x000000000728A000-memory.dmpFilesize
40KB
-
memory/816-19-0x00000000057E0000-0x0000000005B37000-memory.dmpFilesize
3.3MB
-
memory/816-42-0x00000000072A0000-0x00000000072B1000-memory.dmpFilesize
68KB
-
memory/816-43-0x00000000072F0000-0x00000000072FE000-memory.dmpFilesize
56KB
-
memory/816-44-0x0000000007300000-0x0000000007315000-memory.dmpFilesize
84KB
-
memory/816-45-0x0000000007350000-0x000000000736A000-memory.dmpFilesize
104KB
-
memory/816-46-0x0000000007370000-0x0000000007378000-memory.dmpFilesize
32KB
-
memory/816-49-0x0000000074150000-0x0000000074901000-memory.dmpFilesize
7.7MB
-
memory/816-9-0x0000000004F90000-0x0000000004FF6000-memory.dmpFilesize
408KB
-
memory/816-8-0x0000000004DF0000-0x0000000004E12000-memory.dmpFilesize
136KB
-
memory/816-7-0x00000000050D0000-0x00000000056FA000-memory.dmpFilesize
6.2MB
-
memory/816-6-0x0000000002A30000-0x0000000002A40000-memory.dmpFilesize
64KB
-
memory/816-5-0x0000000002A30000-0x0000000002A40000-memory.dmpFilesize
64KB
-
memory/816-3-0x00000000027E0000-0x0000000002816000-memory.dmpFilesize
216KB
-
memory/816-4-0x0000000074150000-0x0000000074901000-memory.dmpFilesize
7.7MB
-
memory/1832-81-0x0000000007350000-0x0000000007361000-memory.dmpFilesize
68KB
-
memory/1832-67-0x0000000005E50000-0x0000000005E9C000-memory.dmpFilesize
304KB
-
memory/1832-68-0x000000007F450000-0x000000007F460000-memory.dmpFilesize
64KB
-
memory/1832-69-0x00000000704D0000-0x000000007051C000-memory.dmpFilesize
304KB
-
memory/1832-70-0x0000000070650000-0x00000000709A7000-memory.dmpFilesize
3.3MB
-
memory/1832-80-0x0000000004CE0000-0x0000000004CF0000-memory.dmpFilesize
64KB
-
memory/1832-79-0x0000000007020000-0x00000000070C4000-memory.dmpFilesize
656KB
-
memory/1832-57-0x0000000004CE0000-0x0000000004CF0000-memory.dmpFilesize
64KB
-
memory/1832-82-0x00000000073A0000-0x00000000073B5000-memory.dmpFilesize
84KB
-
memory/1832-85-0x00000000741F0000-0x00000000749A1000-memory.dmpFilesize
7.7MB
-
memory/1832-63-0x0000000005950000-0x0000000005CA7000-memory.dmpFilesize
3.3MB
-
memory/1832-55-0x00000000741F0000-0x00000000749A1000-memory.dmpFilesize
7.7MB
-
memory/1832-56-0x0000000004CE0000-0x0000000004CF0000-memory.dmpFilesize
64KB
-
memory/2160-250-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2172-54-0x00000000065A0000-0x0000000006E8B000-memory.dmpFilesize
8.9MB
-
memory/2172-145-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/2172-115-0x00000000048F0000-0x0000000004CF8000-memory.dmpFilesize
4.0MB
-
memory/2172-53-0x00000000048F0000-0x0000000004CF8000-memory.dmpFilesize
4.0MB
-
memory/3536-126-0x00000000704D0000-0x000000007051C000-memory.dmpFilesize
304KB
-
memory/3536-139-0x00000000741F0000-0x00000000749A1000-memory.dmpFilesize
7.7MB
-
memory/3536-137-0x0000000002910000-0x0000000002920000-memory.dmpFilesize
64KB
-
memory/3536-128-0x0000000070720000-0x0000000070A77000-memory.dmpFilesize
3.3MB
-
memory/3536-113-0x00000000741F0000-0x00000000749A1000-memory.dmpFilesize
7.7MB
-
memory/3536-114-0x0000000002910000-0x0000000002920000-memory.dmpFilesize
64KB
-
memory/3536-116-0x0000000002910000-0x0000000002920000-memory.dmpFilesize
64KB
-
memory/3536-127-0x000000007F2A0000-0x000000007F2B0000-memory.dmpFilesize
64KB
-
memory/3960-251-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/3960-256-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/3960-268-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/3960-266-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/3960-264-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/3960-263-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/3960-261-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/3960-259-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/3960-252-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/3960-254-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/3960-240-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/3960-241-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/3960-242-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4596-52-0x0000000004B80000-0x0000000004F79000-memory.dmpFilesize
4.0MB
-
memory/4596-2-0x0000000006720000-0x000000000700B000-memory.dmpFilesize
8.9MB
-
memory/4596-1-0x0000000004B80000-0x0000000004F79000-memory.dmpFilesize
4.0MB
-
memory/4596-50-0x0000000000400000-0x0000000004428000-memory.dmpFilesize
64.2MB
-
memory/4768-257-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4768-253-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/5028-112-0x00000000741F0000-0x00000000749A1000-memory.dmpFilesize
7.7MB
-
memory/5028-88-0x0000000002F40000-0x0000000002F50000-memory.dmpFilesize
64KB
-
memory/5028-87-0x00000000741F0000-0x00000000749A1000-memory.dmpFilesize
7.7MB
-
memory/5028-89-0x0000000005F00000-0x0000000006257000-memory.dmpFilesize
3.3MB
-
memory/5028-99-0x000000007F4B0000-0x000000007F4C0000-memory.dmpFilesize
64KB
-
memory/5028-100-0x00000000704D0000-0x000000007051C000-memory.dmpFilesize
304KB
-
memory/5028-101-0x0000000070720000-0x0000000070A77000-memory.dmpFilesize
3.3MB
-
memory/5028-110-0x0000000002F40000-0x0000000002F50000-memory.dmpFilesize
64KB