Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
25/04/2024, 15:30
General
-
Target
1974708e1f31870067fad19e4edaffc9ba518557de0a7abce780a948660689f7.exe
-
Size
4.2MB
-
MD5
941ef1463d66f6f76ab88767249145be
-
SHA1
7308765c8769a3f6486028af9466d5327581a169
-
SHA256
1974708e1f31870067fad19e4edaffc9ba518557de0a7abce780a948660689f7
-
SHA512
30065f20996298802602d3ff0a0c48e7a69e4c136abf1fe26dba5f8b5b6705b61f83638bf870bc3be65fad83ac9799982f7a6f4e0f47c9e6031f5f64b2f7fb49
-
SSDEEP
98304:K+8Pj1ZT6Vr0wZqa219A2D71J0S/rwUCjvn1rKajWGkWvy/KS6wUa/y:KpTT62wIa89A2D71N/UUOgaSZKqUAy
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 18 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1974708e1f31870067fad19e4edaffc9ba518557de0a7abce780a948660689f7.exe"C:\Users\Admin\AppData\Local\Temp\1974708e1f31870067fad19e4edaffc9ba518557de0a7abce780a948660689f7.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1974708e1f31870067fad19e4edaffc9ba518557de0a7abce780a948660689f7.exe"C:\Users\Admin\AppData\Local\Temp\1974708e1f31870067fad19e4edaffc9ba518557de0a7abce780a948660689f7.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
19KB
MD50dde3871bf3a4ead273aa5e17398effc
SHA1106873cb78e75e6f1ccbf007cc1bdee780a42864
SHA25614c3188dae4ee8a7f133cf27ab4b9bfd1155d9abecef92331f037528596f64c5
SHA5129ca11718452ddf12805e8f54f13507abf80101a41b9786de4f3263f0f175d3398187d27bc0f4557b47f29418d85ca2e18462a9e751edd6e179ffeb119c030114
-
Filesize
19KB
MD50f985c62bcba9c6ac31f0630e3377051
SHA1a4bf322aa60fdfe9130ed9a929740bc75d1d6e8d
SHA25612e542b13d65b280e904a2a4911f727fceca8de1622d6cf96dcd11da3d6464d5
SHA5127ed4f440e0d378c04d2c8a9b6193bb3fa639c4d23327df56af91a2c847f2345a255da1f85029861f9ef8b31accdb0289fcfe17abbc40daa7f7311d4073670347
-
Filesize
19KB
MD53a5208d1a2b677d2dfdbfd02d3b70f31
SHA17ba8892121d5945c1dc9bb976ec24ef3c7055b98
SHA256d5f7078f60fc9592beff2bb2edb5419247264e4a61b7c720dee6c84533915d65
SHA512c5120cb77af0b9cbf063760233112461667371451e2203dd170baf598deb8268472a2166fe72448003d387857ebf72d1a3511bc9b42265189ec82ccc3212aa7d
-
Filesize
19KB
MD57b6a45f72036cc488c58ac69403902a1
SHA191b5992bed637d61b6d925e642ca685325247a2c
SHA256f89ddc0a82bf7f33c6224f6bcd1c8ca47637295b120fd5be08ad3373d5c25ca8
SHA5121eea20acb75530e697fe06af9b89d7d3b5cf35a9bf8c83df3df009a6d88a6dba9863b1f0b21925849acf1c8736e23f6e8cdbdd7f3185e607b21b4f6d0cc0aa99
-
Filesize
19KB
MD580ffa212356a6a4192cf5c522404efbe
SHA1403ca6d9bd17d8c9fe96fd04a30f5a4438ac1425
SHA256d72be1ccf4eaea849ee77fffc43c75d14dae1623415737bcca991c6c96764568
SHA5122961229b49e0f43653b08613380a77267098ac27e85c98b4702a903dd5a0546814c998bf56f3da8a6c2db08c6a24266499b43e2a9cf3aaabb80638dd32af1181
-
Filesize
4.2MB
MD5941ef1463d66f6f76ab88767249145be
SHA17308765c8769a3f6486028af9466d5327581a169
SHA2561974708e1f31870067fad19e4edaffc9ba518557de0a7abce780a948660689f7
SHA51230065f20996298802602d3ff0a0c48e7a69e4c136abf1fe26dba5f8b5b6705b61f83638bf870bc3be65fad83ac9799982f7a6f4e0f47c9e6031f5f64b2f7fb49
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
4.0MB
-
Filesize
44.0MB
-
Filesize
44.0MB
-
Filesize
4.0MB
-
Filesize
44.0MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
44.0MB
-
Filesize
44.0MB
-
Filesize
44.0MB
-
Filesize
44.0MB
-
Filesize
44.0MB
-
Filesize
44.0MB
-
Filesize
44.0MB
-
Filesize
44.0MB
-
Filesize
44.0MB
-
Filesize
44.0MB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
44.0MB
-
Filesize
4.0MB
-
Filesize
44.0MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
472KB
-
Filesize
272KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
136KB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
6.2MB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
68KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB