Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26/04/2024, 15:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    54ef254045e794e9ce4ccfc800e48c9a8fb9119a3b46d14c1a7a2edda34fdb13.exe

  • Size

    4.2MB

  • MD5

    5c513b5fb3f10e36287988f3524ae49c

  • SHA1

    469f26bfd60768891c8249376daba9d8d19e044c

  • SHA256

    54ef254045e794e9ce4ccfc800e48c9a8fb9119a3b46d14c1a7a2edda34fdb13

  • SHA512

    4394f93174db203077d60ead157a530afff7c3eebcfd571fad934b8f1876e30878c83cc07439a4ad78aba1c3405b8ea3315b5b8b0874f73c37ff62fa30987e3d

  • SSDEEP

    98304:nGzsnCxKltbFvS+Z1vjUEQC5FD5MQIQIIS4sbbL48:nG4nxAoLumFD5/IIFsP

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkit

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 18 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\54ef254045e794e9ce4ccfc800e48c9a8fb9119a3b46d14c1a7a2edda34fdb13.exe
    "C:\Users\Admin\AppData\Local\Temp\54ef254045e794e9ce4ccfc800e48c9a8fb9119a3b46d14c1a7a2edda34fdb13.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:724
    • C:\Users\Admin\AppData\Local\Temp\54ef254045e794e9ce4ccfc800e48c9a8fb9119a3b46d14c1a7a2edda34fdb13.exe
      "C:\Users\Admin\AppData\Local\Temp\54ef254045e794e9ce4ccfc800e48c9a8fb9119a3b46d14c1a7a2edda34fdb13.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1816
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:4836
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1288
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4864
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:240
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3488
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:1404
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3196
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2752
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:220
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1464
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:1948
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 724
          3⤵
          • Program crash
          PID:1284
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 660
        2⤵
        • Program crash
        PID:2208
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4040 -ip 4040
      1⤵
        PID:2912
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5056 -ip 5056
        1⤵
          PID:2064

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0bab11xs.25q.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                Filesize

                281KB

                MD5

                d98e33b66343e7c96158444127a117f6

                SHA1

                bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                SHA256

                5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                SHA512

                705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                ac4917a885cf6050b1a483e4bc4d2ea5

                SHA1

                b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

                SHA256

                e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

                SHA512

                092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                9bd5c608a459a5c3103dfd114a2955c7

                SHA1

                796c9d610db7e2d5a86cac4200b6f0435a8abcb7

                SHA256

                df8fee88daac1d8830c21b159ba14d1562d8a66d9ce8c5879bbd65475c7489a7

                SHA512

                7164b737ce627aff062466b4587befee56132d89aed2bca01ed7b23c805c23468d968b8d3d660e7c0ebec0175b8e0d6ff62d6a2295123978a3b9edf576642f45

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                425386e793b4202b0a7744a58fe8a4e8

                SHA1

                b12be1c468bc1955932845bcaa056d1791453bec

                SHA256

                a758162f8943ad58ddb36e103fdf51938c5a66cc034b213e4663044782b140c8

                SHA512

                e746319e9a2da798af6fc0cfc73d1dd694a27e04e16717f5da624f6c50b989ce68eb45b8e20e5f9e796a865f64062d962ab415c547565cff9680e726319ebaca

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                78fc3d06f0b0d40aaf708916c1be3220

                SHA1

                53274d8dfd47f419e0341c92e342387840c581ff

                SHA256

                f399bd83a4cda3d0e4824c0e19ece8df88889a34d42be5127c402077d3f3495d

                SHA512

                0afa1d0368b5ee240f0409831847435a1ff8d2c6ca902bffc6f298ad12886c28db05d88907860edc01e960da356f1e8278ce5ede3e31d26b706db44da215368c

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                ceb50f886bb1867155de93e6c8f4bca5

                SHA1

                a4a7df35e376db8a271393fc3288ef5eb54012c7

                SHA256

                0f396377772848cf4dc5dea3f786d6fa077bcef914d3a8be4123d361148d9896

                SHA512

                86aa86e42cdce29a1bc20d1664afcf6a51a0b817b25084b558af5d427ca0d96a9caac1c026a4261a5656994441cc7100920110287f3757f78bd6ec715cbbea3f

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                0b253509a22bc1dbf707258088d8234c

                SHA1

                ecd5e2a217af63f61a4105040a46f7aa22c5a875

                SHA256

                87085466ed50fc7197a06901a8822cee6560a42ca1b0717e5c6d7a92b5434b94

                SHA512

                9cd993c3f547d78d788ab8c9a39ea2c2cd5f66cf50cff2c6c95e3ca7f1994a69170137c3834403f4b8a36ae65164b3f765a79f75a43132e7f105fe2b25001f0c

                Download Submit

              • C:\Windows\rss\csrss.exe
                Filesize

                4.2MB

                MD5

                5c513b5fb3f10e36287988f3524ae49c

                SHA1

                469f26bfd60768891c8249376daba9d8d19e044c

                SHA256

                54ef254045e794e9ce4ccfc800e48c9a8fb9119a3b46d14c1a7a2edda34fdb13

                SHA512

                4394f93174db203077d60ead157a530afff7c3eebcfd571fad934b8f1876e30878c83cc07439a4ad78aba1c3405b8ea3315b5b8b0874f73c37ff62fa30987e3d

                Download Submit

              • memory/220-189-0x00000000711F0000-0x0000000071547000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/220-188-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/240-205-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/240-213-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/240-153-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/240-204-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/240-215-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/240-214-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/240-206-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/240-207-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/240-208-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/240-209-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/240-210-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/240-211-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/240-212-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/724-20-0x0000000005FF0000-0x0000000006347000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/724-26-0x0000000071190000-0x00000000714E7000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/724-42-0x0000000007A60000-0x0000000007A6E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/724-43-0x0000000007A70000-0x0000000007A85000-memory.dmp

                Filesize

                84KB

                Download

              • memory/724-44-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

                Filesize

                104KB

                Download

              • memory/724-45-0x0000000007AE0000-0x0000000007AE8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/724-48-0x0000000074DA0000-0x0000000075551000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/724-40-0x0000000007B00000-0x0000000007B96000-memory.dmp

                Filesize

                600KB

                Download

              • memory/724-39-0x00000000079F0000-0x00000000079FA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/724-38-0x00000000079B0000-0x00000000079CA000-memory.dmp

                Filesize

                104KB

                Download

              • memory/724-37-0x0000000008000000-0x000000000867A000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/724-36-0x0000000007890000-0x0000000007934000-memory.dmp

                Filesize

                656KB

                Download

              • memory/724-35-0x0000000007870000-0x000000000788E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/724-41-0x0000000007A10000-0x0000000007A21000-memory.dmp

                Filesize

                68KB

                Download

              • memory/724-25-0x0000000071010000-0x000000007105C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/724-24-0x0000000007830000-0x0000000007864000-memory.dmp

                Filesize

                208KB

                Download

              • memory/724-23-0x0000000006960000-0x00000000069A6000-memory.dmp

                Filesize

                280KB

                Download

              • memory/724-22-0x0000000006450000-0x000000000649C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/724-21-0x0000000006430000-0x000000000644E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/724-11-0x0000000005C90000-0x0000000005CF6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/724-10-0x0000000005C20000-0x0000000005C86000-memory.dmp

                Filesize

                408KB

                Download

              • memory/724-9-0x0000000005540000-0x0000000005562000-memory.dmp

                Filesize

                136KB

                Download

              • memory/724-8-0x0000000004F70000-0x0000000004F80000-memory.dmp

                Filesize

                64KB

                Download

              • memory/724-6-0x0000000004F70000-0x0000000004F80000-memory.dmp

                Filesize

                64KB

                Download

              • memory/724-7-0x00000000055F0000-0x0000000005C1A000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/724-5-0x0000000074DA0000-0x0000000075551000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/724-4-0x0000000004F80000-0x0000000004FB6000-memory.dmp

                Filesize

                216KB

                Download

              • memory/1288-87-0x0000000006040000-0x0000000006397000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/1288-91-0x00000000712C0000-0x0000000071617000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/1288-89-0x0000000006510000-0x000000000655C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/1288-90-0x0000000071120000-0x000000007116C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/1816-61-0x0000000006330000-0x0000000006687000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/1816-62-0x00000000066E0000-0x000000000672C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/1816-64-0x0000000071280000-0x00000000715D7000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/1816-63-0x0000000071100000-0x000000007114C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/1816-73-0x0000000007620000-0x00000000076C4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/1816-74-0x0000000007B50000-0x0000000007B61000-memory.dmp

                Filesize

                68KB

                Download

              • memory/1816-75-0x0000000007CD0000-0x0000000007CE5000-memory.dmp

                Filesize

                84KB

                Download

              • memory/2752-177-0x0000000004E70000-0x0000000004E85000-memory.dmp

                Filesize

                84KB

                Download

              • memory/2752-154-0x00000000056A0000-0x00000000059F7000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/2752-165-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/2752-166-0x00000000711F0000-0x0000000071547000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/2752-175-0x0000000006E30000-0x0000000006ED4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/2752-176-0x0000000007220000-0x0000000007231000-memory.dmp

                Filesize

                68KB

                Download

              • memory/2752-164-0x0000000006110000-0x000000000615C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3488-139-0x0000000071080000-0x00000000710CC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3488-138-0x00000000061F0000-0x000000000623C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3488-136-0x00000000058D0000-0x0000000005C27000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/3488-140-0x0000000071200000-0x0000000071557000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/3488-149-0x0000000006F60000-0x0000000007004000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3488-151-0x0000000005660000-0x0000000005675000-memory.dmp

                Filesize

                84KB

                Download

              • memory/3488-150-0x00000000070F0000-0x0000000007101000-memory.dmp

                Filesize

                68KB

                Download

              • memory/4040-1-0x0000000004700000-0x0000000004B05000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/4040-52-0x0000000006530000-0x0000000006E1B000-memory.dmp

                Filesize

                8.9MB

                Download

              • memory/4040-51-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/4040-3-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download

              • memory/4040-2-0x0000000006530000-0x0000000006E1B000-memory.dmp

                Filesize

                8.9MB

                Download

              • memory/4864-112-0x0000000071360000-0x00000000716B7000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/4864-106-0x0000000005850000-0x0000000005BA7000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/4864-111-0x0000000071120000-0x000000007116C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/5056-127-0x0000000000400000-0x0000000004420000-memory.dmp

                Filesize

                64.1MB

                Download