glupteba | da8e7aca7e9ffc825848b96f8b2c6e0869078ac0a044e98aed72c504a0641194

Analysis

max time kernel
9s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da8e7aca7e9ffc825848b96f8b2c6e0869078ac0a044e98aed72c504a0641194.exe
Size

4.2MB
MD5

eec0e6b96442a67c4258b06290620827
SHA1

c8505a39d02fd21fc1f7d13c14e1d2f98b42be3c
SHA256

da8e7aca7e9ffc825848b96f8b2c6e0869078ac0a044e98aed72c504a0641194
SHA512

0da3675a00b5278a35281073eed654bc6638499dd0228d35f70f01e51e08d1a74d08105d8596e9784aee6a6d4b619f576d95da4f0e9f040b63a3d2228158edd1
SSDEEP

98304:JlPNnLMcliXgk6mZUGEiVLqbbhuqLV4AlEjP7y:JlP9LMc0wkDbEiV0LVIO

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4108-2-0x00000000050C0000-0x00000000059AB000-memory.dmp	family_glupteba
behavioral1/memory/4108-3-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/4108-4-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/4108-25-0x00000000050C0000-0x00000000059AB000-memory.dmp	family_glupteba
behavioral1/memory/4108-37-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/4108-54-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/4108-65-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/3676-67-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/3676-116-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/3676-128-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/3676-163-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

432 netsh.exe

pid	process
432	netsh.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
552	4108	WerFault.exe	da8e7aca7e9ffc825848b96f8b2c6e0869078ac0a044e98aed72c504a0641194.exe
1384	4108	WerFault.exe	da8e7aca7e9ffc825848b96f8b2c6e0869078ac0a044e98aed72c504a0641194.exe
2996	4108	WerFault.exe	da8e7aca7e9ffc825848b96f8b2c6e0869078ac0a044e98aed72c504a0641194.exe
3116	3676	WerFault.exe	da8e7aca7e9ffc825848b96f8b2c6e0869078ac0a044e98aed72c504a0641194.exe
1240	3676	WerFault.exe	da8e7aca7e9ffc825848b96f8b2c6e0869078ac0a044e98aed72c504a0641194.exe
3576	3676	WerFault.exe	da8e7aca7e9ffc825848b96f8b2c6e0869078ac0a044e98aed72c504a0641194.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

552 schtasks.exe

pid	process
552	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\da8e7aca7e9ffc825848b96f8b2c6e0869078ac0a044e98aed72c504a0641194.exe
"C:\Users\Admin\AppData\Local\Temp\da8e7aca7e9ffc825848b96f8b2c6e0869078ac0a044e98aed72c504a0641194.exe"
1⤵
PID:4108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\da8e7aca7e9ffc825848b96f8b2c6e0869078ac0a044e98aed72c504a0641194.exe
"C:\Users\Admin\AppData\Local\Temp\da8e7aca7e9ffc825848b96f8b2c6e0869078ac0a044e98aed72c504a0641194.exe"
2⤵
PID:3676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:2408

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:1596

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
PID:448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1692

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:552

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:4244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 716
3⤵
- Program crash
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 604
3⤵
- Program crash
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 600
3⤵
- Program crash
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 808
2⤵
- Program crash
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 884
2⤵
- Program crash
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 852
2⤵
- Program crash
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4108 -ip 4108
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4108 -ip 4108
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4108 -ip 4108
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3676 -ip 3676
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3676 -ip 3676
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3676 -ip 3676
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ycs5p2n1.xuc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f79a7945e26c272ae91d186f58c12224

SHA1
6ae4c25f9138efa18bed966097ffb786b5588945

SHA256
a1dae67dabfbb2dc22cf16f7d9fff1652a8882a38d14dba600241abbab3d026a

SHA512
beb2af63fee6a955ee25cdd8e548b64b0ce40ef663b17297fbfe27eb8e95e7d3386e7d38592c702565bdad1619ff676c4edcff8f6f37145fbb630db4d03e2935

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e88669c446b9eda9d305d6b3396888f0

SHA1
0da5b1f74b6df3c19d41436f1491805ab1e1490e

SHA256
299d7ead1b34fdbf6fc90171737e6a131929d3dbf2950287de78716479a2ee08

SHA512
7e9b8378c801d6a74078c348d75924019a33f9e7ef4060d3385d8ea6c2831910dccb57afe7c3e7832b769c13338959df28e94d2408ddd2c4794ac05af77c1eba

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
396c4952436c08bd414d39b15dc4a660

SHA1
1ae6430426e048825fdfcf551102ee9ed5473b64

SHA256
e1b776ade132aeb69af8bfccd4499a50dc0ecdaaf37161859861b25afb62645a

SHA512
afc983269bc6e2a7fc9dd5bdda0f46cf27fd4758a153457e39267684b840b670eb23dc4ac9ba097acf21c17d9e09d1218a219dfbb892375408252e69a8d11aaa

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
5bd094df96aa0cbbf45d5089c8b6ca84

SHA1
f6c9d426f11d02d4b52736c7e42a240227f37427

SHA256
2f9d8f7847bf6846c59a49e3ddd6b6a9ed40dd2289b31469078072eb59345fdf

SHA512
f7d1066ab8a1ed0408ff9de6557e7121b054ca7b50399b3dd5e8a37766929645f58693e7e58150e088ec2ae860aaa0a49884474f8acaa16938cf76ea5f4d7202

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6e85bae9eb5f7526fdecd016402e1219

SHA1
3fb3ee10abd8edd097e5e68c246876c9ff26372f

SHA256
05b6990df7d107b0c842be0a4660866a27ad84fb2ed230aeb8656067ba232d0a

SHA512
15e74d85ef9dbed063859dae91b16ac8f6416f02e663589820ec2a8880403339a7cc8f1dc3218f073ba662991bb39f3dc9c73bb64e0417fc4145a3a0bbe68578

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
eec0e6b96442a67c4258b06290620827

SHA1
c8505a39d02fd21fc1f7d13c14e1d2f98b42be3c

SHA256
da8e7aca7e9ffc825848b96f8b2c6e0869078ac0a044e98aed72c504a0641194

SHA512
0da3675a00b5278a35281073eed654bc6638499dd0228d35f70f01e51e08d1a74d08105d8596e9784aee6a6d4b619f576d95da4f0e9f040b63a3d2228158edd1

Download Submit
memory/448-232-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/1596-132-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1596-133-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1596-131-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/1716-60-0x0000000008030000-0x0000000008038000-memory.dmp

Filesize
32KB

Download
memory/1716-18-0x0000000006260000-0x00000000065B4000-memory.dmp

Filesize
3.3MB

Download
memory/1716-5-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/1716-26-0x0000000006850000-0x000000000686E000-memory.dmp

Filesize
120KB

Download
memory/1716-27-0x0000000006920000-0x000000000696C000-memory.dmp

Filesize
304KB

Download
memory/1716-29-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/1716-30-0x0000000006DF0000-0x0000000006E34000-memory.dmp

Filesize
272KB

Download
memory/1716-31-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1716-33-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1716-32-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1716-34-0x0000000007B90000-0x0000000007C06000-memory.dmp

Filesize
472KB

Download
memory/1716-35-0x00000000082F0000-0x000000000896A000-memory.dmp

Filesize
6.5MB

Download
memory/1716-36-0x0000000007B10000-0x0000000007B2A000-memory.dmp

Filesize
104KB

Download
memory/1716-6-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1716-38-0x000000007F860000-0x000000007F870000-memory.dmp

Filesize
64KB

Download
memory/1716-39-0x0000000007E70000-0x0000000007EA2000-memory.dmp

Filesize
200KB

Download
memory/1716-41-0x0000000071030000-0x0000000071384000-memory.dmp

Filesize
3.3MB

Download
memory/1716-40-0x0000000070AB0000-0x0000000070AFC000-memory.dmp

Filesize
304KB

Download
memory/1716-51-0x0000000007E50000-0x0000000007E6E000-memory.dmp

Filesize
120KB

Download
memory/1716-52-0x0000000007EB0000-0x0000000007F53000-memory.dmp

Filesize
652KB

Download
memory/1716-53-0x0000000007F90000-0x0000000007F9A000-memory.dmp

Filesize
40KB

Download
memory/1716-7-0x0000000005200000-0x0000000005236000-memory.dmp

Filesize
216KB

Download
memory/1716-55-0x00000000080A0000-0x0000000008136000-memory.dmp

Filesize
600KB

Download
memory/1716-56-0x0000000007FA0000-0x0000000007FB1000-memory.dmp

Filesize
68KB

Download
memory/1716-57-0x0000000007FE0000-0x0000000007FEE000-memory.dmp

Filesize
56KB

Download
memory/1716-58-0x0000000008000000-0x0000000008014000-memory.dmp

Filesize
80KB

Download
memory/1716-59-0x0000000008040000-0x000000000805A000-memory.dmp

Filesize
104KB

Download
memory/1716-8-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1716-63-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/1716-9-0x00000000058A0000-0x0000000005EC8000-memory.dmp

Filesize
6.2MB

Download
memory/1716-10-0x00000000057D0000-0x00000000057F2000-memory.dmp

Filesize
136KB

Download
memory/1716-11-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/1716-12-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/2252-113-0x0000000005C60000-0x0000000005FB4000-memory.dmp

Filesize
3.3MB

Download
memory/2252-101-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2252-130-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2252-118-0x0000000070D30000-0x0000000071084000-memory.dmp

Filesize
3.3MB

Download
memory/2252-117-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

Filesize
304KB

Download
memory/2252-115-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2252-100-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2252-102-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2592-98-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2592-83-0x0000000071330000-0x0000000071684000-memory.dmp

Filesize
3.3MB

Download
memory/2592-69-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/2592-95-0x0000000007B80000-0x0000000007B94000-memory.dmp

Filesize
80KB

Download
memory/2592-94-0x0000000007B30000-0x0000000007B41000-memory.dmp

Filesize
68KB

Download
memory/2592-93-0x0000000007840000-0x00000000078E3000-memory.dmp

Filesize
652KB

Download
memory/2592-80-0x0000000006690000-0x00000000066DC000-memory.dmp

Filesize
304KB

Download
memory/2592-79-0x0000000006000000-0x0000000006354000-memory.dmp

Filesize
3.3MB

Download
memory/2592-68-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2592-81-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/2592-82-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

Filesize
304KB

Download
memory/3676-163-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/3676-116-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/3676-128-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/3676-112-0x0000000003600000-0x0000000003A06000-memory.dmp

Filesize
4.0MB

Download
memory/3676-67-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/3676-66-0x0000000003600000-0x0000000003A06000-memory.dmp

Filesize
4.0MB

Download
memory/4108-23-0x00000000036B0000-0x0000000003AAC000-memory.dmp

Filesize
4.0MB

Download
memory/4108-1-0x00000000036B0000-0x0000000003AAC000-memory.dmp

Filesize
4.0MB

Download
memory/4108-54-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/4108-65-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/4108-37-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/4108-25-0x00000000050C0000-0x00000000059AB000-memory.dmp

Filesize
8.9MB

Download
memory/4108-4-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/4108-3-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/4108-2-0x00000000050C0000-0x00000000059AB000-memory.dmp

Filesize
8.9MB

Download