Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
27-04-2024 22:26
General
-
Target
58ab56689aa0ca6484c63ecaec185f9e6f4be9d5cce3a06decc5155188342004.exe
-
Size
4.2MB
-
MD5
83e6df52b92e9cce71c064c0b56e5a1d
-
SHA1
052d350583149e7155034d03098b9820be4a5b58
-
SHA256
58ab56689aa0ca6484c63ecaec185f9e6f4be9d5cce3a06decc5155188342004
-
SHA512
0d8a1e19cad260cf616eea89bb25c80d3595ab4bbcb1df7b2e0567339e853a09022efeb4ff0b1a76b4f8e60489490676c56ee0474b7e54ee455a76e4e3d2bcad
-
SSDEEP
98304:PamOmyh13YwSD+iffg9rOMOczucEEdNxQlfwo87Elwi0PG1E:PTy8Jy4o9ecZxQhwo8IinPG1E
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 18 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\58ab56689aa0ca6484c63ecaec185f9e6f4be9d5cce3a06decc5155188342004.exe"C:\Users\Admin\AppData\Local\Temp\58ab56689aa0ca6484c63ecaec185f9e6f4be9d5cce3a06decc5155188342004.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\58ab56689aa0ca6484c63ecaec185f9e6f4be9d5cce3a06decc5155188342004.exe"C:\Users\Admin\AppData\Local\Temp\58ab56689aa0ca6484c63ecaec185f9e6f4be9d5cce3a06decc5155188342004.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b004uqf1.dyy.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD54597e49b4d2669994f45b4cbd04212ed
SHA1f6da1f997f478d9eb5c4dfd11638aa09c4fa1e95
SHA25647bec72e47819819c98c4dfaed665a7ff85de862424a4d47a99e0c3f009c6c5c
SHA512fce8f55623529ce9acc6902e021d6df810fed85e8f9b8c3e2c4ad70ae597d92e6df11ceea4e38ed9f685494cde61dfaaf88286699938bfa69abe611f15ab3efe
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD51b1c6163e60ea30b2f9f498b5fe43038
SHA18c6468dc258f9448c26d833850f890ce7819fd2c
SHA256620a27d813a3f22b9a4e19d3b00b9a35f285e431f94651bd69cc1c9840125c2a
SHA51263fcb1011d01be48554ad85d8d82fcacf6d7544337c4c5fed5ceb1a40799d3c7aecb9b6cf39260b749e1d1c14f5bdb308d4a257ba8bb6ddc35de950efc97e61b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5859ae3fa56aa62c52fd357862c706d72
SHA179b53157980540234508c751c075140b7a4a57e9
SHA2569b49434712870ac0a1eb9d9680d6b2b94a3865c5fc0c65d7aab0334fc18f4683
SHA51223802dd82a44f9742f7a83e7d7c7afafeeec2b3cfca29b9da494114c89d65187b32a3e62a13413e8bb7a94cb09f0b2175e6ef70d6b1573e0e98efae15adb6b86
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5940feb12b1151ba1f23c7fa534cb897f
SHA1c989eeb8a943e50456ae0c1afdfbf11ff24a0107
SHA256b8bd799bd425427b3bcd56d96660f3c1023b030b9b12e2dd11150e5698cdf341
SHA512cf1c74cde7e6ef1c5097dff70dfd71f64353622a3f297ebb5739802e0dfbc519c6a6ab79092812c5ca2d7aac5147b8651853e4bde3bef29f1cb616737667447c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5630c50c9be0c7be06c4063819620828a
SHA1f57629b737336b753af2900f07a09ed4076b724d
SHA2562c7b7308a88a74b51acb4870b1c186a8c7224e4421a2a9cee40be38136074756
SHA5120f2bf208a7c510c7aed5ebb36b7b024053e5aee0f91b3f72b487b2c37c5a8a8779575830411980a53a0f591d962ca2b9e5fb16431d20334156b7dbf1f9e8286a
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD583e6df52b92e9cce71c064c0b56e5a1d
SHA1052d350583149e7155034d03098b9820be4a5b58
SHA25658ab56689aa0ca6484c63ecaec185f9e6f4be9d5cce3a06decc5155188342004
SHA5120d8a1e19cad260cf616eea89bb25c80d3595ab4bbcb1df7b2e0567339e853a09022efeb4ff0b1a76b4f8e60489490676c56ee0474b7e54ee455a76e4e3d2bcad
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/1096-73-0x0000000006F00000-0x0000000006FA4000-memory.dmpFilesize
656KB
-
memory/1096-63-0x0000000070ED0000-0x0000000070F1C000-memory.dmpFilesize
304KB
-
memory/1096-62-0x00000000058D0000-0x0000000005C27000-memory.dmpFilesize
3.3MB
-
memory/1096-64-0x0000000071070000-0x00000000713C7000-memory.dmpFilesize
3.3MB
-
memory/1096-74-0x0000000007230000-0x0000000007241000-memory.dmpFilesize
68KB
-
memory/1096-75-0x0000000007280000-0x0000000007295000-memory.dmpFilesize
84KB
-
memory/1564-171-0x00000000076B0000-0x00000000076C1000-memory.dmpFilesize
68KB
-
memory/1564-170-0x00000000074F0000-0x0000000007594000-memory.dmpFilesize
656KB
-
memory/1564-158-0x00000000063F0000-0x000000000643C000-memory.dmpFilesize
304KB
-
memory/1564-160-0x0000000070DF0000-0x0000000070E3C000-memory.dmpFilesize
304KB
-
memory/1564-161-0x0000000070F70000-0x00000000712C7000-memory.dmpFilesize
3.3MB
-
memory/1564-172-0x0000000005CB0000-0x0000000005CC5000-memory.dmpFilesize
84KB
-
memory/1564-156-0x0000000005E80000-0x00000000061D7000-memory.dmpFilesize
3.3MB
-
memory/1880-194-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/3340-212-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3340-207-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3996-90-0x0000000071120000-0x0000000071477000-memory.dmpFilesize
3.3MB
-
memory/3996-89-0x0000000070ED0000-0x0000000070F1C000-memory.dmpFilesize
304KB
-
memory/3996-79-0x0000000005F80000-0x00000000062D7000-memory.dmpFilesize
3.3MB
-
memory/4068-226-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4068-202-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4068-222-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4068-258-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4068-218-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4068-254-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4068-214-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4068-230-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4068-234-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4068-238-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4068-242-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4068-246-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4068-250-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4464-3-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4464-1-0x00000000022D0000-0x00000000026CE000-memory.dmpFilesize
4.0MB
-
memory/4464-159-0x0000000004770000-0x000000000505B000-memory.dmpFilesize
8.9MB
-
memory/4464-2-0x0000000004770000-0x000000000505B000-memory.dmpFilesize
8.9MB
-
memory/4464-120-0x00000000022D0000-0x00000000026CE000-memory.dmpFilesize
4.0MB
-
memory/4464-119-0x0000000000400000-0x0000000001DFB000-memory.dmpFilesize
26.0MB
-
memory/4488-138-0x0000000071050000-0x00000000713A7000-memory.dmpFilesize
3.3MB
-
memory/4488-137-0x0000000070ED0000-0x0000000070F1C000-memory.dmpFilesize
304KB
-
memory/4488-135-0x00000000060B0000-0x0000000006407000-memory.dmpFilesize
3.3MB
-
memory/4808-210-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4808-216-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4808-224-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4852-110-0x0000000071120000-0x0000000071477000-memory.dmpFilesize
3.3MB
-
memory/4852-109-0x0000000070ED0000-0x0000000070F1C000-memory.dmpFilesize
304KB
-
memory/4860-182-0x0000000005FA0000-0x00000000062F7000-memory.dmpFilesize
3.3MB
-
memory/4860-185-0x0000000070F90000-0x00000000712E7000-memory.dmpFilesize
3.3MB
-
memory/4860-184-0x0000000070DF0000-0x0000000070E3C000-memory.dmpFilesize
304KB
-
memory/4912-39-0x00000000022B0000-0x00000000022C0000-memory.dmpFilesize
64KB
-
memory/4912-4-0x0000000002730000-0x0000000002766000-memory.dmpFilesize
216KB
-
memory/4912-52-0x0000000074C60000-0x0000000075411000-memory.dmpFilesize
7.7MB
-
memory/4912-45-0x0000000007200000-0x0000000007211000-memory.dmpFilesize
68KB
-
memory/4912-44-0x00000000072F0000-0x0000000007386000-memory.dmpFilesize
600KB
-
memory/4912-43-0x00000000071E0000-0x00000000071EA000-memory.dmpFilesize
40KB
-
memory/4912-41-0x00000000077E0000-0x0000000007E5A000-memory.dmpFilesize
6.5MB
-
memory/4912-42-0x00000000071A0000-0x00000000071BA000-memory.dmpFilesize
104KB
-
memory/4912-48-0x00000000072B0000-0x00000000072CA000-memory.dmpFilesize
104KB
-
memory/4912-49-0x00000000072D0000-0x00000000072D8000-memory.dmpFilesize
32KB
-
memory/4912-26-0x0000000070ED0000-0x0000000070F1C000-memory.dmpFilesize
304KB
-
memory/4912-27-0x0000000071060000-0x00000000713B7000-memory.dmpFilesize
3.3MB
-
memory/4912-37-0x0000000007070000-0x0000000007114000-memory.dmpFilesize
656KB
-
memory/4912-38-0x00000000022B0000-0x00000000022C0000-memory.dmpFilesize
64KB
-
memory/4912-46-0x0000000007250000-0x000000000725E000-memory.dmpFilesize
56KB
-
memory/4912-36-0x0000000007050000-0x000000000706E000-memory.dmpFilesize
120KB
-
memory/4912-47-0x0000000007260000-0x0000000007275000-memory.dmpFilesize
84KB
-
memory/4912-24-0x000000007F010000-0x000000007F020000-memory.dmpFilesize
64KB
-
memory/4912-25-0x0000000006FF0000-0x0000000007024000-memory.dmpFilesize
208KB
-
memory/4912-23-0x0000000006000000-0x0000000006046000-memory.dmpFilesize
280KB
-
memory/4912-22-0x0000000005C20000-0x0000000005C6C000-memory.dmpFilesize
304KB
-
memory/4912-21-0x0000000005BE0000-0x0000000005BFE000-memory.dmpFilesize
120KB
-
memory/4912-20-0x0000000005700000-0x0000000005A57000-memory.dmpFilesize
3.3MB
-
memory/4912-10-0x0000000005620000-0x0000000005686000-memory.dmpFilesize
408KB
-
memory/4912-11-0x0000000005690000-0x00000000056F6000-memory.dmpFilesize
408KB
-
memory/4912-9-0x0000000004D50000-0x0000000004D72000-memory.dmpFilesize
136KB
-
memory/4912-8-0x0000000004E40000-0x000000000546A000-memory.dmpFilesize
6.2MB
-
memory/4912-7-0x00000000022B0000-0x00000000022C0000-memory.dmpFilesize
64KB
-
memory/4912-5-0x0000000074C60000-0x0000000075411000-memory.dmpFilesize
7.7MB
-
memory/4912-6-0x00000000022B0000-0x00000000022C0000-memory.dmpFilesize
64KB
-
memory/4912-40-0x00000000022B0000-0x00000000022C0000-memory.dmpFilesize
64KB