Analysis
-
max time kernel
62s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
25-04-2024 15:30
General
-
Target
1974708e1f31870067fad19e4edaffc9ba518557de0a7abce780a948660689f7.exe
-
Size
4.2MB
-
MD5
941ef1463d66f6f76ab88767249145be
-
SHA1
7308765c8769a3f6486028af9466d5327581a169
-
SHA256
1974708e1f31870067fad19e4edaffc9ba518557de0a7abce780a948660689f7
-
SHA512
30065f20996298802602d3ff0a0c48e7a69e4c136abf1fe26dba5f8b5b6705b61f83638bf870bc3be65fad83ac9799982f7a6f4e0f47c9e6031f5f64b2f7fb49
-
SSDEEP
98304:K+8Pj1ZT6Vr0wZqa219A2D71J0S/rwUCjvn1rKajWGkWvy/KS6wUa/y:KpTT62wIa89A2D71N/UUOgaSZKqUAy
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 18 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1974708e1f31870067fad19e4edaffc9ba518557de0a7abce780a948660689f7.exe"C:\Users\Admin\AppData\Local\Temp\1974708e1f31870067fad19e4edaffc9ba518557de0a7abce780a948660689f7.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1974708e1f31870067fad19e4edaffc9ba518557de0a7abce780a948660689f7.exe"C:\Users\Admin\AppData\Local\Temp\1974708e1f31870067fad19e4edaffc9ba518557de0a7abce780a948660689f7.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2vrd2y2f.niy.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD50dde3871bf3a4ead273aa5e17398effc
SHA1106873cb78e75e6f1ccbf007cc1bdee780a42864
SHA25614c3188dae4ee8a7f133cf27ab4b9bfd1155d9abecef92331f037528596f64c5
SHA5129ca11718452ddf12805e8f54f13507abf80101a41b9786de4f3263f0f175d3398187d27bc0f4557b47f29418d85ca2e18462a9e751edd6e179ffeb119c030114
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD50f985c62bcba9c6ac31f0630e3377051
SHA1a4bf322aa60fdfe9130ed9a929740bc75d1d6e8d
SHA25612e542b13d65b280e904a2a4911f727fceca8de1622d6cf96dcd11da3d6464d5
SHA5127ed4f440e0d378c04d2c8a9b6193bb3fa639c4d23327df56af91a2c847f2345a255da1f85029861f9ef8b31accdb0289fcfe17abbc40daa7f7311d4073670347
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD53a5208d1a2b677d2dfdbfd02d3b70f31
SHA17ba8892121d5945c1dc9bb976ec24ef3c7055b98
SHA256d5f7078f60fc9592beff2bb2edb5419247264e4a61b7c720dee6c84533915d65
SHA512c5120cb77af0b9cbf063760233112461667371451e2203dd170baf598deb8268472a2166fe72448003d387857ebf72d1a3511bc9b42265189ec82ccc3212aa7d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD57b6a45f72036cc488c58ac69403902a1
SHA191b5992bed637d61b6d925e642ca685325247a2c
SHA256f89ddc0a82bf7f33c6224f6bcd1c8ca47637295b120fd5be08ad3373d5c25ca8
SHA5121eea20acb75530e697fe06af9b89d7d3b5cf35a9bf8c83df3df009a6d88a6dba9863b1f0b21925849acf1c8736e23f6e8cdbdd7f3185e607b21b4f6d0cc0aa99
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD580ffa212356a6a4192cf5c522404efbe
SHA1403ca6d9bd17d8c9fe96fd04a30f5a4438ac1425
SHA256d72be1ccf4eaea849ee77fffc43c75d14dae1623415737bcca991c6c96764568
SHA5122961229b49e0f43653b08613380a77267098ac27e85c98b4702a903dd5a0546814c998bf56f3da8a6c2db08c6a24266499b43e2a9cf3aaabb80638dd32af1181
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD5941ef1463d66f6f76ab88767249145be
SHA17308765c8769a3f6486028af9466d5327581a169
SHA2561974708e1f31870067fad19e4edaffc9ba518557de0a7abce780a948660689f7
SHA51230065f20996298802602d3ff0a0c48e7a69e4c136abf1fe26dba5f8b5b6705b61f83638bf870bc3be65fad83ac9799982f7a6f4e0f47c9e6031f5f64b2f7fb49
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/548-120-0x0000000003580000-0x0000000003988000-memory.dmpFilesize
4.0MB
-
memory/548-94-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/548-157-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/548-57-0x0000000003580000-0x0000000003988000-memory.dmpFilesize
4.0MB
-
memory/548-58-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/1084-271-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1744-277-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1744-273-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2776-276-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/2776-274-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/2776-272-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/2776-278-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/2776-280-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/2776-282-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/2776-284-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/2776-286-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/2776-208-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/2776-263-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/3020-56-0x0000000005110000-0x00000000059FB000-memory.dmpFilesize
8.9MB
-
memory/3020-2-0x0000000005110000-0x00000000059FB000-memory.dmpFilesize
8.9MB
-
memory/3020-3-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/3020-1-0x0000000003570000-0x000000000396E000-memory.dmpFilesize
4.0MB
-
memory/3020-54-0x0000000000400000-0x000000000300B000-memory.dmpFilesize
44.0MB
-
memory/3888-96-0x00000000049C0000-0x00000000049D0000-memory.dmpFilesize
64KB
-
memory/3888-123-0x0000000074E30000-0x00000000755E0000-memory.dmpFilesize
7.7MB
-
memory/3888-121-0x00000000049C0000-0x00000000049D0000-memory.dmpFilesize
64KB
-
memory/3888-109-0x0000000070D30000-0x0000000070D7C000-memory.dmpFilesize
304KB
-
memory/3888-110-0x00000000714D0000-0x0000000071824000-memory.dmpFilesize
3.3MB
-
memory/3888-108-0x000000007EFD0000-0x000000007EFE0000-memory.dmpFilesize
64KB
-
memory/3888-97-0x00000000049C0000-0x00000000049D0000-memory.dmpFilesize
64KB
-
memory/3888-95-0x0000000074E30000-0x00000000755E0000-memory.dmpFilesize
7.7MB
-
memory/3980-41-0x0000000007BE0000-0x0000000007BFE000-memory.dmpFilesize
120KB
-
memory/3980-47-0x0000000007D50000-0x0000000007D5E000-memory.dmpFilesize
56KB
-
memory/3980-28-0x000000007FBE0000-0x000000007FBF0000-memory.dmpFilesize
64KB
-
memory/3980-29-0x0000000007BA0000-0x0000000007BD2000-memory.dmpFilesize
200KB
-
memory/3980-27-0x00000000079E0000-0x00000000079FA000-memory.dmpFilesize
104KB
-
memory/3980-26-0x0000000008040000-0x00000000086BA000-memory.dmpFilesize
6.5MB
-
memory/3980-25-0x0000000007740000-0x00000000077B6000-memory.dmpFilesize
472KB
-
memory/3980-24-0x0000000006B80000-0x0000000006BC4000-memory.dmpFilesize
272KB
-
memory/3980-23-0x0000000006670000-0x00000000066BC000-memory.dmpFilesize
304KB
-
memory/3980-22-0x0000000006610000-0x000000000662E000-memory.dmpFilesize
120KB
-
memory/3980-21-0x0000000005FC0000-0x0000000006314000-memory.dmpFilesize
3.3MB
-
memory/3980-11-0x0000000005F10000-0x0000000005F76000-memory.dmpFilesize
408KB
-
memory/3980-10-0x00000000057E0000-0x0000000005846000-memory.dmpFilesize
408KB
-
memory/3980-31-0x0000000070DD0000-0x0000000071124000-memory.dmpFilesize
3.3MB
-
memory/3980-42-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/3980-30-0x0000000070C30000-0x0000000070C7C000-memory.dmpFilesize
304KB
-
memory/3980-9-0x0000000005740000-0x0000000005762000-memory.dmpFilesize
136KB
-
memory/3980-43-0x0000000007C00000-0x0000000007CA3000-memory.dmpFilesize
652KB
-
memory/3980-44-0x0000000007CF0000-0x0000000007CFA000-memory.dmpFilesize
40KB
-
memory/3980-8-0x00000000058E0000-0x0000000005F08000-memory.dmpFilesize
6.2MB
-
memory/3980-45-0x0000000007DB0000-0x0000000007E46000-memory.dmpFilesize
600KB
-
memory/3980-46-0x0000000007D10000-0x0000000007D21000-memory.dmpFilesize
68KB
-
memory/3980-53-0x0000000074D90000-0x0000000075540000-memory.dmpFilesize
7.7MB
-
memory/3980-6-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/3980-7-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/3980-50-0x0000000007DA0000-0x0000000007DA8000-memory.dmpFilesize
32KB
-
memory/3980-5-0x0000000074D90000-0x0000000075540000-memory.dmpFilesize
7.7MB
-
memory/3980-4-0x0000000003050000-0x0000000003086000-memory.dmpFilesize
216KB
-
memory/3980-49-0x0000000007E50000-0x0000000007E6A000-memory.dmpFilesize
104KB
-
memory/3980-48-0x0000000007D60000-0x0000000007D74000-memory.dmpFilesize
80KB
-
memory/4456-135-0x00000000059E0000-0x0000000005D34000-memory.dmpFilesize
3.3MB
-
memory/4456-138-0x0000000070D30000-0x0000000070D7C000-memory.dmpFilesize
304KB
-
memory/4456-136-0x0000000002710000-0x0000000002720000-memory.dmpFilesize
64KB
-
memory/4456-134-0x0000000002710000-0x0000000002720000-memory.dmpFilesize
64KB
-
memory/4456-124-0x0000000074E30000-0x00000000755E0000-memory.dmpFilesize
7.7MB
-
memory/4828-92-0x0000000074E30000-0x00000000755E0000-memory.dmpFilesize
7.7MB
-
memory/4828-89-0x0000000006FF0000-0x0000000007004000-memory.dmpFilesize
80KB
-
memory/4828-88-0x0000000006FA0000-0x0000000006FB1000-memory.dmpFilesize
68KB
-
memory/4828-87-0x0000000002490000-0x00000000024A0000-memory.dmpFilesize
64KB
-
memory/4828-73-0x000000007F8D0000-0x000000007F8E0000-memory.dmpFilesize
64KB
-
memory/4828-74-0x0000000070D30000-0x0000000070D7C000-memory.dmpFilesize
304KB
-
memory/4828-85-0x0000000006C70000-0x0000000006D13000-memory.dmpFilesize
652KB
-
memory/4828-86-0x0000000002490000-0x00000000024A0000-memory.dmpFilesize
64KB
-
memory/4828-75-0x00000000714D0000-0x0000000071824000-memory.dmpFilesize
3.3MB
-
memory/4828-72-0x0000000005E00000-0x0000000005E4C000-memory.dmpFilesize
304KB
-
memory/4828-63-0x00000000053D0000-0x0000000005724000-memory.dmpFilesize
3.3MB
-
memory/4828-61-0x0000000002490000-0x00000000024A0000-memory.dmpFilesize
64KB
-
memory/4828-60-0x0000000002490000-0x00000000024A0000-memory.dmpFilesize
64KB
-
memory/4828-59-0x0000000074E30000-0x00000000755E0000-memory.dmpFilesize
7.7MB