glupteba | 9127b9a8ff6ddb58cecc278c07897a3d280f178a9f56df03daccccf2f7101801

Analysis

max time kernel
20s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9127b9a8ff6ddb58cecc278c07897a3d280f178a9f56df03daccccf2f7101801.exe
Size

4.2MB
MD5

c978c65c0f9a22e93997243720415127
SHA1

10b52c071e96711ce9bb7abbd0f8a899898f5f57
SHA256

9127b9a8ff6ddb58cecc278c07897a3d280f178a9f56df03daccccf2f7101801
SHA512

556f8cea4130e8c80b7117a27b64e18f000489471651c138e0786e66ca1334b61d2c830a6197bd6ffa8a3f090e8168010e155553b5be0fa7187a95b3f0c41895
SSDEEP

98304:5lPNnLMcliXgk6mZUGEiVLqbbhuqLV4AlEjP7H:5lP9LMc0wkDbEiV0LVIb

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3256-2-0x0000000005290000-0x0000000005B7B000-memory.dmp	family_glupteba
behavioral1/memory/3256-3-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/3256-4-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/3256-11-0x0000000005290000-0x0000000005B7B000-memory.dmp	family_glupteba
behavioral1/memory/3256-60-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/4452-63-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/4452-111-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba
behavioral1/memory/4452-157-0x0000000000400000-0x000000000300B000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3484 netsh.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4276 schtasks.exe
5000 schtasks.exe

pid	process
3484	netsh.exe

pid	process
4276	schtasks.exe
5000	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\9127b9a8ff6ddb58cecc278c07897a3d280f178a9f56df03daccccf2f7101801.exe
"C:\Users\Admin\AppData\Local\Temp\9127b9a8ff6ddb58cecc278c07897a3d280f178a9f56df03daccccf2f7101801.exe"
1⤵
PID:3256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\9127b9a8ff6ddb58cecc278c07897a3d280f178a9f56df03daccccf2f7101801.exe
"C:\Users\Admin\AppData\Local\Temp\9127b9a8ff6ddb58cecc278c07897a3d280f178a9f56df03daccccf2f7101801.exe"
2⤵
PID:4452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:3128

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:3484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3892

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
PID:4356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1748

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4276

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:4564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:2832

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ruplzlr.wcu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
5a731d6536c0378c875aba1a17d6979b

SHA1
14deefd198f0aaf5c0c662f02a5949cafebe461d

SHA256
935c959405c35758a3d55e13be3890c8b77b916a1776f3ecc70f70f00f5bb623

SHA512
c45ec73c0801f63b03daa89dc87c095629ac4852c86ecd052bb06ffabf1d85304a0ade66d70bbfdc258f6bb43cc00c9f67be9af5ce3962ac1a15d142ab37575c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6eca5c97385e779a2b75d540d3d02db3

SHA1
4276e0e6d95374ef5d03b3d3b24309c75131070b

SHA256
d8a540fc4886913a4d4f987f6de8104fc8ca78e46f8e7139fdbc2a85ad196826

SHA512
6696eb31164c7db08833e1337d7f6d20d7d4601e0fdd50c4c90640dadc52362d0750a8aa6cc4a48f239121631f4e2055af9331574594461454aff3181d29ac88

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f8ba23554a555bd8a5e30d98bfdd3800

SHA1
64233c49aa7ca4109d9048260841cb3f96c929eb

SHA256
c41bcb05389a98ae48e1714a027c5048cde74b27bbb2d8c808b1b8a31e76251e

SHA512
d39fccfe26f2ab1fe291360e14a020c4961aadeccbbb75adf1b714f289cd4a6238ef78e8f91c1008ad58e05054802efc668b9d96f58d3d221782005f73c969b3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
107e26f1ee24d0b6019b679e39923a83

SHA1
c6dc66b2e63795de77f888ea91acccb02064087b

SHA256
18a129ee7bfce36c2e1f4f6c781a2f3f1b5af71623ee06b8124cb3c9e2a3234b

SHA512
3998807fc067f36e1fdcc7a11b09c6637e45e576ef27d1ab05a827a5c83c8ea7867f84d709990d87f8bc1d28e85fe1690b54e0784b4ee98b2d10da026b901c26

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2b27ce0ec3b988dedbf7e8ac06e85395

SHA1
3aaaa5f29aefdf85961d6c543f0c9bfbfb19ae76

SHA256
7ea3cba7fb8bafa330a2e86463bba4345c12f8dd3bd44e7040b5b58de66125a6

SHA512
9226bdbd966ae818e16a37118b9957498b2b67e44877fa4f0fe37af592454302008af9b7367fc80cd564f7e13601527f49333068ccd7b3220860afb80d261f39

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
c978c65c0f9a22e93997243720415127

SHA1
10b52c071e96711ce9bb7abbd0f8a899898f5f57

SHA256
9127b9a8ff6ddb58cecc278c07897a3d280f178a9f56df03daccccf2f7101801

SHA512
556f8cea4130e8c80b7117a27b64e18f000489471651c138e0786e66ca1334b61d2c830a6197bd6ffa8a3f090e8168010e155553b5be0fa7187a95b3f0c41895

Download Submit
memory/1968-31-0x0000000008160000-0x00000000087DA000-memory.dmp

Filesize
6.5MB

Download
memory/1968-36-0x00000000708D0000-0x000000007091C000-memory.dmp

Filesize
304KB

Download
memory/1968-13-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/1968-14-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/1968-8-0x0000000005AB0000-0x00000000060D8000-memory.dmp

Filesize
6.2MB

Download
memory/1968-20-0x00000000060E0000-0x0000000006434000-memory.dmp

Filesize
3.3MB

Download
memory/1968-25-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/1968-26-0x0000000006810000-0x000000000685C000-memory.dmp

Filesize
304KB

Download
memory/1968-28-0x0000000006CB0000-0x0000000006CF4000-memory.dmp

Filesize
272KB

Download
memory/1968-29-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/1968-30-0x0000000007A60000-0x0000000007AD6000-memory.dmp

Filesize
472KB

Download
memory/1968-7-0x0000000002E10000-0x0000000002E46000-memory.dmp

Filesize
216KB

Download
memory/1968-32-0x0000000007B00000-0x0000000007B1A000-memory.dmp

Filesize
104KB

Download
memory/1968-33-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/1968-34-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/1968-12-0x00000000054C0000-0x00000000054E2000-memory.dmp

Filesize
136KB

Download
memory/1968-37-0x0000000071080000-0x00000000713D4000-memory.dmp

Filesize
3.3MB

Download
memory/1968-48-0x0000000007D00000-0x0000000007DA3000-memory.dmp

Filesize
652KB

Download
memory/1968-47-0x0000000007CA0000-0x0000000007CBE000-memory.dmp

Filesize
120KB

Download
memory/1968-35-0x0000000007CC0000-0x0000000007CF2000-memory.dmp

Filesize
200KB

Download
memory/1968-49-0x0000000007DE0000-0x0000000007DEA000-memory.dmp

Filesize
40KB

Download
memory/1968-50-0x0000000007EA0000-0x0000000007F36000-memory.dmp

Filesize
600KB

Download
memory/1968-51-0x0000000007E00000-0x0000000007E11000-memory.dmp

Filesize
68KB

Download
memory/1968-52-0x0000000007E40000-0x0000000007E4E000-memory.dmp

Filesize
56KB

Download
memory/1968-53-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/1968-54-0x0000000007FA0000-0x0000000007FB4000-memory.dmp

Filesize
80KB

Download
memory/1968-55-0x0000000007FE0000-0x0000000007FFA000-memory.dmp

Filesize
104KB

Download
memory/1968-56-0x0000000007FC0000-0x0000000007FC8000-memory.dmp

Filesize
32KB

Download
memory/1968-59-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/1968-6-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/1968-5-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/3256-60-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/3256-1-0x00000000036F0000-0x0000000003AE9000-memory.dmp

Filesize
4.0MB

Download
memory/3256-11-0x0000000005290000-0x0000000005B7B000-memory.dmp

Filesize
8.9MB

Download
memory/3256-2-0x0000000005290000-0x0000000005B7B000-memory.dmp

Filesize
8.9MB

Download
memory/3256-3-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/3256-9-0x00000000036F0000-0x0000000003AE9000-memory.dmp

Filesize
4.0MB

Download
memory/3256-4-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/3892-128-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/3892-141-0x00000000709D0000-0x0000000070A1C000-memory.dmp

Filesize
304KB

Download
memory/3892-140-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/3892-126-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3892-138-0x0000000005A10000-0x0000000005D64000-memory.dmp

Filesize
3.3MB

Download
memory/3892-127-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/4356-228-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/4356-262-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/4448-112-0x000000007F230000-0x000000007F240000-memory.dmp

Filesize
64KB

Download
memory/4448-100-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4448-97-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/4448-98-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4448-125-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/4448-113-0x00000000709D0000-0x0000000070A1C000-memory.dmp

Filesize
304KB

Download
memory/4448-114-0x0000000071170000-0x00000000714C4000-memory.dmp

Filesize
3.3MB

Download
memory/4452-111-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/4452-157-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/4452-62-0x00000000034B0000-0x00000000038AA000-memory.dmp

Filesize
4.0MB

Download
memory/4452-99-0x00000000034B0000-0x00000000038AA000-memory.dmp

Filesize
4.0MB

Download
memory/4452-63-0x0000000000400000-0x000000000300B000-memory.dmp

Filesize
44.0MB

Download
memory/4488-80-0x0000000071170000-0x00000000714C4000-memory.dmp

Filesize
3.3MB

Download
memory/4488-92-0x0000000007940000-0x0000000007954000-memory.dmp

Filesize
80KB

Download
memory/4488-91-0x00000000078F0000-0x0000000007901000-memory.dmp

Filesize
68KB

Download
memory/4488-90-0x0000000007600000-0x00000000076A3000-memory.dmp

Filesize
652KB

Download
memory/4488-64-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/4488-95-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/4488-78-0x000000007F500000-0x000000007F510000-memory.dmp

Filesize
64KB

Download
memory/4488-79-0x00000000709D0000-0x0000000070A1C000-memory.dmp

Filesize
304KB

Download
memory/4488-77-0x0000000006920000-0x000000000696C000-memory.dmp

Filesize
304KB

Download
memory/4488-68-0x0000000005D80000-0x00000000060D4000-memory.dmp

Filesize
3.3MB

Download
memory/4488-66-0x0000000002F00000-0x0000000002F10000-memory.dmp

Filesize
64KB

Download
memory/4488-65-0x0000000002F00000-0x0000000002F10000-memory.dmp

Filesize
64KB

Download