Analysis
-
max time kernel
9s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
24-04-2024 23:20
General
-
Target
cb757827703c8b58e0b6f231fbb9a6ea4b3eb511e94939b305f671efc5417352.exe
-
Size
4.2MB
-
MD5
68373e51cb992b86cedad45d78643d53
-
SHA1
6ea32e5b52d596dfa119ff476721cf02a9ee6689
-
SHA256
cb757827703c8b58e0b6f231fbb9a6ea4b3eb511e94939b305f671efc5417352
-
SHA512
831e10cd30ff2981f6f199d0d56f90659de311d4ae5f2f49a75dc86526a4bd2aa80d9cafd54f52886bc9aaeff9f246c2c424e67c8f8bcaa29cd8498a7527f569
-
SSDEEP
98304:mevzfZDFQyVnMG9h3iRv7wTG+HYT3M4TA:hxJQUMGk0DHcA
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 16 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 2 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb757827703c8b58e0b6f231fbb9a6ea4b3eb511e94939b305f671efc5417352.exe"C:\Users\Admin\AppData\Local\Temp\cb757827703c8b58e0b6f231fbb9a6ea4b3eb511e94939b305f671efc5417352.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\cb757827703c8b58e0b6f231fbb9a6ea4b3eb511e94939b305f671efc5417352.exe"C:\Users\Admin\AppData\Local\Temp\cb757827703c8b58e0b6f231fbb9a6ea4b3eb511e94939b305f671efc5417352.exe"2⤵
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
Filesize
19KB
MD5286e1b8abc9b3114f498d0860708619b
SHA1057849af2fa06983cb37fa78eb5b1e0a1b2af8fc
SHA256bff3cd237212f6680508968608f3ae321ec152b1df68f400fa7d5ede1b4b135e
SHA5121c4e880d04a4c3bf840a8a2bccf81d99d30f8a27c1fd8604605af75391f3cc52ea2d074b918dfec6ae2e3e0bf0ccbee3b4a993c61447fc9cb8ff1d88e73dbe33
-
Filesize
19KB
MD5d3cbd0bae4faf80b1a891e69418c96c0
SHA1cf13e358bac8bd9cfcfcb8753cad8f206db0402e
SHA256a3e90dd57155a012882f55e4fdffd7a03ed4510ce57742e51803362a558918de
SHA512628af6fe2a6950334e6f8c3033057acf0e455e3a813943c947780178a3a6dadcc51dc8ce4d799e6aa588cd7593e235c27d90763c961f9f4afc1cc8ea50613af5
-
Filesize
19KB
MD519241b4bc5741016262936fa7eede358
SHA15d29ee05bac291c39804988172e23f5df579596d
SHA256f383c29cc2f12986f477514292922cec28ec013acf80ea4ca27dc31ae1bbc523
SHA512c353730c556d857497348f711e07c38219438976d1f331f1310235f04bc9077fd8c4ddba8561afcee0d829f4b5b44ec550fe3ad92574e06d47d63691b845e540
-
Filesize
19KB
MD53a740a4676ccb71c23294e5eba06c7d0
SHA18970126ddb86e6efb3379d818405fb051b7e3c11
SHA25654e12755ecfedea0e6558004387007335a13894bdb8c952515619fa58c4bb0dc
SHA512ace8341e9fa47fde03e1f577b499d5a13c4e1166f9940fe2fc8ca66bc36642412130dbdafd204d52fac6e68a6702f323fb3236500abb8bd76cadf8122b86800a
-
Filesize
19KB
MD58d8a966ed0428adc0ec9d9d53fe4addc
SHA1064fd525f41f05daa1a2a305c58a02f2c9291e83
SHA2564b96bf73fba4ebfbc76ab810376970203e39de5f1e30a1849ec7e019b79a208b
SHA5122148abc9ffa5347636cb5089948cd9bf4cefeb9e9b2f9b789d0b8c7a13a3790f5b86800b83a6acd8898e26f03d922a8a9651d93ab5819b9a774e5d7e702f5490
-
Filesize
4.2MB
MD568373e51cb992b86cedad45d78643d53
SHA16ea32e5b52d596dfa119ff476721cf02a9ee6689
SHA256cb757827703c8b58e0b6f231fbb9a6ea4b3eb511e94939b305f671efc5417352
SHA512831e10cd30ff2981f6f199d0d56f90659de311d4ae5f2f49a75dc86526a4bd2aa80d9cafd54f52886bc9aaeff9f246c2c424e67c8f8bcaa29cd8498a7527f569
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
4.9MB
-
Filesize
64.1MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.0MB
-
Filesize
64.1MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
64.1MB
-
Filesize
64.1MB
-
Filesize
64.1MB
-
Filesize
64.1MB
-
Filesize
64.1MB
-
Filesize
64.1MB
-
Filesize
64.1MB
-
Filesize
64.1MB
-
Filesize
64.1MB
-
Filesize
64.1MB
-
Filesize
64.1MB
-
Filesize
64.1MB
-
Filesize
64.1MB
-
Filesize
216KB
-
Filesize
3.3MB
-
Filesize
6.5MB
-
Filesize
656KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
208KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
280KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
408KB
-
Filesize
84KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
656KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
68KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
84KB