Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
23-04-2024 12:09
General
-
Target
1a3a6ac78eb72acfc2123cbc9329b060c1eeaca7cc6f09e1bc48622474c85c78.exe
-
Size
4.2MB
-
MD5
9dc832b94e5fa7e79596545b846d70b9
-
SHA1
2e90ffe5acb9eaf58a756c4bad524e991101f0e3
-
SHA256
1a3a6ac78eb72acfc2123cbc9329b060c1eeaca7cc6f09e1bc48622474c85c78
-
SHA512
edad0725d16975fb3365f139849d1f0c946cbd89637ec3e7c27920db00036880d8761d170d95de43b60aea6cce39150d03bf4c324cf255999d20b6b295f69774
-
SSDEEP
98304:q9dcOUBEbybSH36R/JhlYZJkRBAK/yVZyNfNI1XCYNES:oyBJSqZXeZGRgrygZb
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 12 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a3a6ac78eb72acfc2123cbc9329b060c1eeaca7cc6f09e1bc48622474c85c78.exe"C:\Users\Admin\AppData\Local\Temp\1a3a6ac78eb72acfc2123cbc9329b060c1eeaca7cc6f09e1bc48622474c85c78.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1a3a6ac78eb72acfc2123cbc9329b060c1eeaca7cc6f09e1bc48622474c85c78.exe"C:\Users\Admin\AppData\Local\Temp\1a3a6ac78eb72acfc2123cbc9329b060c1eeaca7cc6f09e1bc48622474c85c78.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxcjsobz.n1e.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5469120b73ed2abfb3c214935145c9a4f
SHA1b08f8bebbda0f01a99437f61c6ce211e30ca4261
SHA256f33b5ae7c4fbae72a5ba165476f5f69ca6d6732af94e478ef019fd6b6432d9c3
SHA512f0a808f67d8cdf1f4b0c608aca695c343843222ebb851f1077e9a962c6b51078da79d7ec50e0414dd1a77b1944930ff32ff81ce0d24aa09c11fa3f93583261c9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5d8313a714e9059d30d6d6366d737ef6c
SHA1a382ffdb60c63b0ffd836658a058e05eb738d18f
SHA256714a253bef6472aa0c02d9651097da5afce47e35b4048b9afcc90d95970c0629
SHA512ba7c34cafbd4e6a58ee27d80024ee1bb63e7a04138dc4e2ed52fdcd38b8194ae6b80a8a3f7c854a05ca852c45410ccfd44dd09f7463566b95facfa9979636af2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5a7622712172b0140690ba97633c2a64a
SHA1257f37ce9bf08dce09a1bc8ea64c0588b6d69d5c
SHA2565e708f8b21bdbdf5f7d0ebab935deb7c301166b606e9ad918189949b1931b745
SHA51233979b5a990bba213ac009b153c6861939171ea889fdf3a439bac54b21ba643641db1ef8a3dcd0b0cad3461f21c2172aa024204598080d82f3148913b8a2eadc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD59f23c54647dd2368277c6b292df23328
SHA1604ea806487eddabe85d0a80308b36a21be75939
SHA256f9b4640e3ea8e2da0d2b7447e46a5059fad90497cf89169e82ef865f8e43dee7
SHA5129c19c39ebb59f4be351ac14e96469c10baf2d50d986429abc8d2c8dd7dea85003c7daaa97c0f67dd79411723f55ebbb26295b8d8a3a25b17a672a18f572ac6b5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD55879ca60a578f214bc9b02be6595559a
SHA1edfd9910febc02cc3e2cde0e7fa059d9d669d4e8
SHA2566e43215b8a7a5741b15db3b19202cc2d11a3daeeea6e33b12442495a9929eb71
SHA512d2f092259f5c0af4c66d1cf070f2290aefe4edf2c7860e1a355e26950e145deacb5c2215b987ff8eaef8b04d3eaaa15c858aedb9c9b0fa1e820a94e2c32441bc
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD59dc832b94e5fa7e79596545b846d70b9
SHA12e90ffe5acb9eaf58a756c4bad524e991101f0e3
SHA2561a3a6ac78eb72acfc2123cbc9329b060c1eeaca7cc6f09e1bc48622474c85c78
SHA512edad0725d16975fb3365f139849d1f0c946cbd89637ec3e7c27920db00036880d8761d170d95de43b60aea6cce39150d03bf4c324cf255999d20b6b295f69774
-
memory/464-82-0x0000000074570000-0x0000000074D21000-memory.dmpFilesize
7.7MB
-
memory/464-52-0x0000000074570000-0x0000000074D21000-memory.dmpFilesize
7.7MB
-
memory/464-79-0x0000000007710000-0x0000000007725000-memory.dmpFilesize
84KB
-
memory/464-78-0x00000000076C0000-0x00000000076D1000-memory.dmpFilesize
68KB
-
memory/464-77-0x0000000002950000-0x0000000002960000-memory.dmpFilesize
64KB
-
memory/464-76-0x0000000002950000-0x0000000002960000-memory.dmpFilesize
64KB
-
memory/464-75-0x000000007F610000-0x000000007F620000-memory.dmpFilesize
64KB
-
memory/464-73-0x0000000007190000-0x0000000007234000-memory.dmpFilesize
656KB
-
memory/464-64-0x0000000070960000-0x0000000070CB7000-memory.dmpFilesize
3.3MB
-
memory/464-63-0x00000000707E0000-0x000000007082C000-memory.dmpFilesize
304KB
-
memory/464-53-0x0000000002950000-0x0000000002960000-memory.dmpFilesize
64KB
-
memory/1576-272-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2336-135-0x0000000004990000-0x00000000049A0000-memory.dmpFilesize
64KB
-
memory/2336-124-0x000000007F0D0000-0x000000007F0E0000-memory.dmpFilesize
64KB
-
memory/2336-111-0x0000000074570000-0x0000000074D21000-memory.dmpFilesize
7.7MB
-
memory/2336-113-0x0000000004990000-0x00000000049A0000-memory.dmpFilesize
64KB
-
memory/2336-122-0x0000000005940000-0x0000000005C97000-memory.dmpFilesize
3.3MB
-
memory/2336-137-0x0000000074570000-0x0000000074D21000-memory.dmpFilesize
7.7MB
-
memory/2336-126-0x00000000709F0000-0x0000000070D47000-memory.dmpFilesize
3.3MB
-
memory/2336-125-0x00000000707E0000-0x000000007082C000-memory.dmpFilesize
304KB
-
memory/2492-50-0x0000000004930000-0x0000000004D2B000-memory.dmpFilesize
4.0MB
-
memory/2492-141-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/2492-112-0x0000000004930000-0x0000000004D2B000-memory.dmpFilesize
4.0MB
-
memory/3104-320-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3104-288-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3144-108-0x0000000004BE0000-0x0000000004BF0000-memory.dmpFilesize
64KB
-
memory/3144-110-0x0000000074570000-0x0000000074D21000-memory.dmpFilesize
7.7MB
-
memory/3144-84-0x0000000074570000-0x0000000074D21000-memory.dmpFilesize
7.7MB
-
memory/3144-107-0x0000000004BE0000-0x0000000004BF0000-memory.dmpFilesize
64KB
-
memory/3144-98-0x0000000070A30000-0x0000000070D87000-memory.dmpFilesize
3.3MB
-
memory/3144-96-0x000000007F9D0000-0x000000007F9E0000-memory.dmpFilesize
64KB
-
memory/3144-97-0x00000000707E0000-0x000000007082C000-memory.dmpFilesize
304KB
-
memory/3144-94-0x0000000005AD0000-0x0000000005E27000-memory.dmpFilesize
3.3MB
-
memory/3144-85-0x0000000004BE0000-0x0000000004BF0000-memory.dmpFilesize
64KB
-
memory/3484-4-0x0000000074570000-0x0000000074D21000-memory.dmpFilesize
7.7MB
-
memory/3484-36-0x0000000007110000-0x00000000071B4000-memory.dmpFilesize
656KB
-
memory/3484-19-0x0000000005C80000-0x0000000005C9E000-memory.dmpFilesize
120KB
-
memory/3484-16-0x0000000005760000-0x0000000005AB7000-memory.dmpFilesize
3.3MB
-
memory/3484-9-0x0000000005580000-0x00000000055E6000-memory.dmpFilesize
408KB
-
memory/3484-21-0x0000000006200000-0x0000000006246000-memory.dmpFilesize
280KB
-
memory/3484-23-0x00000000070B0000-0x00000000070E4000-memory.dmpFilesize
208KB
-
memory/3484-22-0x000000007F280000-0x000000007F290000-memory.dmpFilesize
64KB
-
memory/3484-8-0x0000000005510000-0x0000000005576000-memory.dmpFilesize
408KB
-
memory/3484-38-0x0000000007230000-0x000000000724A000-memory.dmpFilesize
104KB
-
memory/3484-39-0x0000000007270000-0x000000000727A000-memory.dmpFilesize
40KB
-
memory/3484-24-0x00000000707E0000-0x000000007082C000-memory.dmpFilesize
304KB
-
memory/3484-25-0x0000000070960000-0x0000000070CB7000-memory.dmpFilesize
3.3MB
-
memory/3484-34-0x00000000048A0000-0x00000000048B0000-memory.dmpFilesize
64KB
-
memory/3484-35-0x00000000070F0000-0x000000000710E000-memory.dmpFilesize
120KB
-
memory/3484-37-0x0000000007880000-0x0000000007EFA000-memory.dmpFilesize
6.5MB
-
memory/3484-20-0x0000000005D20000-0x0000000005D6C000-memory.dmpFilesize
304KB
-
memory/3484-48-0x0000000074570000-0x0000000074D21000-memory.dmpFilesize
7.7MB
-
memory/3484-45-0x0000000007360000-0x0000000007368000-memory.dmpFilesize
32KB
-
memory/3484-7-0x0000000004CF0000-0x0000000004D12000-memory.dmpFilesize
136KB
-
memory/3484-44-0x0000000007340000-0x000000000735A000-memory.dmpFilesize
104KB
-
memory/3484-43-0x00000000072F0000-0x0000000007305000-memory.dmpFilesize
84KB
-
memory/3484-42-0x00000000072E0000-0x00000000072EE000-memory.dmpFilesize
56KB
-
memory/3484-3-0x00000000047E0000-0x0000000004816000-memory.dmpFilesize
216KB
-
memory/3484-41-0x00000000072A0000-0x00000000072B1000-memory.dmpFilesize
68KB
-
memory/3484-6-0x0000000004EE0000-0x000000000550A000-memory.dmpFilesize
6.2MB
-
memory/3484-40-0x0000000007380000-0x0000000007416000-memory.dmpFilesize
600KB
-
memory/3484-5-0x00000000048A0000-0x00000000048B0000-memory.dmpFilesize
64KB
-
memory/3524-151-0x00000000053B0000-0x00000000053C0000-memory.dmpFilesize
64KB
-
memory/3524-150-0x0000000074570000-0x0000000074D21000-memory.dmpFilesize
7.7MB
-
memory/3844-230-0x0000000074DD0000-0x0000000074DEE000-memory.dmpFilesize
120KB
-
memory/3844-256-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/3844-226-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/3844-228-0x0000000074DF0000-0x0000000074E57000-memory.dmpFilesize
412KB
-
memory/3844-344-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/3844-231-0x0000000074DB0000-0x0000000074DC1000-memory.dmpFilesize
68KB
-
memory/3844-241-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/3844-243-0x0000000074DF0000-0x0000000074E57000-memory.dmpFilesize
412KB
-
memory/3844-248-0x0000000074D60000-0x0000000074DA1000-memory.dmpFilesize
260KB
-
memory/3844-322-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/3844-306-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/3844-274-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/3844-290-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/4052-62-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/4052-2-0x00000000066A0000-0x0000000006F8B000-memory.dmpFilesize
8.9MB
-
memory/4052-74-0x00000000066A0000-0x0000000006F8B000-memory.dmpFilesize
8.9MB
-
memory/4052-1-0x0000000004B00000-0x0000000004EFC000-memory.dmpFilesize
4.0MB
-
memory/4052-51-0x0000000004B00000-0x0000000004EFC000-memory.dmpFilesize
4.0MB