General
-
Target
97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53
-
Size
851KB
-
Sample
240423-m156vsff25
-
MD5
413a2ef652af005857952eaf1d717f72
-
SHA1
59d552791f8f7a915ca22ef20472237f93a82590
-
SHA256
97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53
-
SHA512
016bb4bd52cd2f5debeed370ee366bc8f32573437b7cbfd2bc5f9fa904956d66dc100dd0aa2b8193b55238722aeec412e700ab675a87de91e3f9503f9bddf18c
-
SSDEEP
24576:SAQzZjtaG/wO8c4A9bSkhhizy5VdsWTdxS1yeA:+ZtaKw5s9bSsim5VmkQyv
Static task
static1
Behavioral task
behavioral1
Sample
97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53.exe
Resource
win10v2004-20240412-en
Malware Config
Targets
-
-
Target
97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53
-
Size
851KB
-
MD5
413a2ef652af005857952eaf1d717f72
-
SHA1
59d552791f8f7a915ca22ef20472237f93a82590
-
SHA256
97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53
-
SHA512
016bb4bd52cd2f5debeed370ee366bc8f32573437b7cbfd2bc5f9fa904956d66dc100dd0aa2b8193b55238722aeec412e700ab675a87de91e3f9503f9bddf18c
-
SSDEEP
24576:SAQzZjtaG/wO8c4A9bSkhhizy5VdsWTdxS1yeA:+ZtaKw5s9bSsim5VmkQyv
-
Glupteba payload
-
Modifies firewall policy service
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Virtualization/Sandbox Evasion
1Subvert Trust Controls
1Install Root Certificate
1