Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
27-04-2024 22:26
General
-
Target
6c1c97db6756e5e09864b960c85186cde473d5d77f2c948ba7c981e346fa26f5.exe
-
Size
4.2MB
-
MD5
bab9479f86eda380226174f7e0f4e869
-
SHA1
8cf919575f65f11362cd7ba83446136bca963442
-
SHA256
6c1c97db6756e5e09864b960c85186cde473d5d77f2c948ba7c981e346fa26f5
-
SHA512
b090c97d185808cc64126aa9a0b6ec6c20134ef7883bf638e0f0ff92022587084a9769fbb6fc4a6feba6702690044412a291af3c20e437e18c7dd34c6eff64ad
-
SSDEEP
98304:PamOmyh13YwSD+iffg9rOMOczucEEdNxQlfwo87Elwi0PG1K:PTy8Jy4o9ecZxQhwo8IinPG1K
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 18 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c1c97db6756e5e09864b960c85186cde473d5d77f2c948ba7c981e346fa26f5.exe"C:\Users\Admin\AppData\Local\Temp\6c1c97db6756e5e09864b960c85186cde473d5d77f2c948ba7c981e346fa26f5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6c1c97db6756e5e09864b960c85186cde473d5d77f2c948ba7c981e346fa26f5.exe"C:\Users\Admin\AppData\Local\Temp\6c1c97db6756e5e09864b960c85186cde473d5d77f2c948ba7c981e346fa26f5.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qnnsottq.u12.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD54c65e58f0334cf22673dc90723ce2f01
SHA15e729ab05026062c4460e4cac91426e69e5a5936
SHA2566a424dd5dcbad5fd52dd27fba3cb610da7c0e309d7f06cf5d78702b4673f8239
SHA51204e3d59ec70bc7ad1d646d0e764ab2a0b0960744171b150b02e3225bfecceffc3d9c20ac1ecaafb69c33ca58f5609bdbd13095905e005bba9f4b361a6cd18a9b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD550ab64c0054d73374ffa91d8eaf81da0
SHA135bdad5202f647c563fe4230ffd17fbd97e91104
SHA25611589eb6bb165583f131eb65c02d267feda4749a082324d945c9489613b52fde
SHA51272012c5983a4f5e047fab63f1200c165f5228de15dc91e290686d62f525033ef31d6f6ee73616c48a3af0342aa6c8eebdec543f9745f3addafdb1d7e27d2cc86
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD533bd1a2c0b28660cf8ba4fb771788a7d
SHA160b8c54da50a0b7f04a7eb3a3ec6a2980fb07e88
SHA256b2c8dbef82bef4afbf85a8256c1310f7d734500888ac7afe85e7e24432ff390b
SHA5129ee9f6582a09b3e37c7f5c3bb4e1a25fba4a94ebbf16b4cce2f56ecdfa3c517224ecefb9145702dbec444a5a75aa19ec345c02865748009442cf522b59500926
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD54cd2a87cb196b154512fcd1ec97b2dec
SHA1c15af41c39c0acfe41b8b47d8ea8bf2381371aa2
SHA2569c9c6c54ea5bcd2daf899c11b80bc1f63a629aea80bc00ed1c0e38500bc4d247
SHA5123e4c86b5cbb11707257de73ed2f1245968abf7ed82af99b199cc3f3b8f04378a8bed36f1c4183c18e66ba90181ccd2845a2e609828a0e8de6f6ea5a6ee9454f5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD52c5edd2b4669f24904153336c2b46786
SHA1ffb120a3e57f70a8688c25ac0dc122207a684cae
SHA256c2c757717762404bc55953f6467dcbd39350483d9ae5d56c550aca14058a8757
SHA512d4609f550cffa8f6bc93204aac2892b0e2bbfd847e35ed54280a7cf6e53bd6794b1846a7dea2bbe69b3354a35ebe02a05a1e298f2f05ea569cab9e103897f09b
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD5bab9479f86eda380226174f7e0f4e869
SHA18cf919575f65f11362cd7ba83446136bca963442
SHA2566c1c97db6756e5e09864b960c85186cde473d5d77f2c948ba7c981e346fa26f5
SHA512b090c97d185808cc64126aa9a0b6ec6c20134ef7883bf638e0f0ff92022587084a9769fbb6fc4a6feba6702690044412a291af3c20e437e18c7dd34c6eff64ad
-
memory/1004-138-0x0000000070F80000-0x00000000712D7000-memory.dmpFilesize
3.3MB
-
memory/1004-137-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/1004-135-0x0000000005610000-0x0000000005967000-memory.dmpFilesize
3.3MB
-
memory/1160-3-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/1160-120-0x0000000003F10000-0x00000000047FB000-memory.dmpFilesize
8.9MB
-
memory/1160-118-0x00000000020F0000-0x00000000024ED000-memory.dmpFilesize
4.0MB
-
memory/1160-2-0x0000000003F10000-0x00000000047FB000-memory.dmpFilesize
8.9MB
-
memory/1160-88-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/1160-1-0x00000000020F0000-0x00000000024ED000-memory.dmpFilesize
4.0MB
-
memory/1544-123-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2072-61-0x0000000071050000-0x00000000713A7000-memory.dmpFilesize
3.3MB
-
memory/2072-60-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/2072-72-0x0000000007240000-0x0000000007255000-memory.dmpFilesize
84KB
-
memory/2072-71-0x00000000071F0000-0x0000000007201000-memory.dmpFilesize
68KB
-
memory/2072-70-0x0000000006EA0000-0x0000000006F44000-memory.dmpFilesize
656KB
-
memory/2504-149-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2504-206-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2504-220-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2504-218-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2504-216-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2504-224-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2504-204-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2504-222-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2504-208-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2504-210-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2504-197-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2504-212-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2504-214-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/2760-184-0x00000000055D0000-0x0000000005927000-memory.dmpFilesize
3.3MB
-
memory/2760-186-0x0000000070D20000-0x0000000070D6C000-memory.dmpFilesize
304KB
-
memory/2760-187-0x0000000070EA0000-0x00000000711F7000-memory.dmpFilesize
3.3MB
-
memory/2808-37-0x0000000007130000-0x00000000071D4000-memory.dmpFilesize
656KB
-
memory/2808-6-0x0000000074B90000-0x0000000075341000-memory.dmpFilesize
7.7MB
-
memory/2808-25-0x000000007F1C0000-0x000000007F1D0000-memory.dmpFilesize
64KB
-
memory/2808-24-0x00000000070B0000-0x00000000070E4000-memory.dmpFilesize
208KB
-
memory/2808-26-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/2808-23-0x0000000006210000-0x0000000006256000-memory.dmpFilesize
280KB
-
memory/2808-43-0x00000000072C0000-0x00000000072D1000-memory.dmpFilesize
68KB
-
memory/2808-27-0x0000000071050000-0x00000000713A7000-memory.dmpFilesize
3.3MB
-
memory/2808-38-0x00000000024B0000-0x00000000024C0000-memory.dmpFilesize
64KB
-
memory/2808-21-0x0000000005CA0000-0x0000000005CBE000-memory.dmpFilesize
120KB
-
memory/2808-20-0x00000000057C0000-0x0000000005B17000-memory.dmpFilesize
3.3MB
-
memory/2808-11-0x0000000005750000-0x00000000057B6000-memory.dmpFilesize
408KB
-
memory/2808-10-0x00000000056E0000-0x0000000005746000-memory.dmpFilesize
408KB
-
memory/2808-9-0x0000000005640000-0x0000000005662000-memory.dmpFilesize
136KB
-
memory/2808-5-0x0000000004F10000-0x000000000553A000-memory.dmpFilesize
6.2MB
-
memory/2808-22-0x0000000005CD0000-0x0000000005D1C000-memory.dmpFilesize
304KB
-
memory/2808-36-0x0000000007110000-0x000000000712E000-memory.dmpFilesize
120KB
-
memory/2808-41-0x00000000072A0000-0x00000000072AA000-memory.dmpFilesize
40KB
-
memory/2808-7-0x00000000024B0000-0x00000000024C0000-memory.dmpFilesize
64KB
-
memory/2808-39-0x00000000078A0000-0x0000000007F1A000-memory.dmpFilesize
6.5MB
-
memory/2808-40-0x0000000007260000-0x000000000727A000-memory.dmpFilesize
104KB
-
memory/2808-50-0x0000000074B90000-0x0000000075341000-memory.dmpFilesize
7.7MB
-
memory/2808-47-0x0000000007390000-0x0000000007398000-memory.dmpFilesize
32KB
-
memory/2808-46-0x0000000007370000-0x000000000738A000-memory.dmpFilesize
104KB
-
memory/2808-8-0x00000000024B0000-0x00000000024C0000-memory.dmpFilesize
64KB
-
memory/2808-45-0x0000000007320000-0x0000000007335000-memory.dmpFilesize
84KB
-
memory/2808-4-0x00000000024C0000-0x00000000024F6000-memory.dmpFilesize
216KB
-
memory/2808-44-0x0000000007310000-0x000000000731E000-memory.dmpFilesize
56KB
-
memory/2808-42-0x00000000073B0000-0x0000000007446000-memory.dmpFilesize
600KB
-
memory/4272-84-0x0000000006190000-0x00000000064E7000-memory.dmpFilesize
3.3MB
-
memory/4272-87-0x0000000070FA0000-0x00000000712F7000-memory.dmpFilesize
3.3MB
-
memory/4272-86-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/4592-109-0x0000000071010000-0x0000000071367000-memory.dmpFilesize
3.3MB
-
memory/4592-108-0x0000000070E00000-0x0000000070E4C000-memory.dmpFilesize
304KB
-
memory/4592-106-0x0000000005DD0000-0x0000000006127000-memory.dmpFilesize
3.3MB
-
memory/4916-174-0x0000000005C30000-0x0000000005C45000-memory.dmpFilesize
84KB
-
memory/4916-173-0x0000000007410000-0x0000000007421000-memory.dmpFilesize
68KB
-
memory/4916-172-0x0000000007090000-0x0000000007134000-memory.dmpFilesize
656KB
-
memory/4916-163-0x0000000070F30000-0x0000000071287000-memory.dmpFilesize
3.3MB
-
memory/4916-162-0x0000000070D20000-0x0000000070D6C000-memory.dmpFilesize
304KB
-
memory/4916-161-0x00000000063A0000-0x00000000063EC000-memory.dmpFilesize
304KB
-
memory/4916-159-0x00000000058B0000-0x0000000005C07000-memory.dmpFilesize
3.3MB