Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
27/04/2024, 08:32
General
-
Target
74716c16f59741280b9b0b795b6bb1b5a14982b205988d9943ba41d3f528bc1a.exe
-
Size
4.1MB
-
MD5
47a2afd8a01fcefc793e5454ee48081d
-
SHA1
b197eecceec80ed8ab4405b84a51d6dc973f52c0
-
SHA256
74716c16f59741280b9b0b795b6bb1b5a14982b205988d9943ba41d3f528bc1a
-
SHA512
34397172680fbace67e0a7a68b684eb6380c683c9af619c64afb2c01008e2a7c3e32a67da01e3cd1338be290db476ca59607543c0e29cda3155ba1d107ec8898
-
SSDEEP
98304:pBrcvoQ3bpeAYFyI5s2iXAaDVcYvvxcUB482tlsgYA74K:pBQ8JjsJRJcupcUK8wlX7x
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 15 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\74716c16f59741280b9b0b795b6bb1b5a14982b205988d9943ba41d3f528bc1a.exe"C:\Users\Admin\AppData\Local\Temp\74716c16f59741280b9b0b795b6bb1b5a14982b205988d9943ba41d3f528bc1a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\74716c16f59741280b9b0b795b6bb1b5a14982b205988d9943ba41d3f528bc1a.exe"C:\Users\Admin\AppData\Local\Temp\74716c16f59741280b9b0b795b6bb1b5a14982b205988d9943ba41d3f528bc1a.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
Filesize
19KB
MD5bb3243381fee82b9d0a3031ffa56d4bf
SHA1c4b9d9bce24e78847e419448ad051f15709aa12d
SHA256f899c11895763d217cc3d5fd5f715e97fae01b743f3be00d80df1b83e456aede
SHA512f485f375c057004db46d607eab7e13e7a7e111a7fbddc3ba384e2660e3c5edf928c7b92fdfb8b25c40491ac8a761a9fb45ecb89dbc75a648a0e6dd2e6bdee29b
-
Filesize
19KB
MD540bcd8bba813c91abe724089da23459e
SHA1b9fd6979c8b9a37439ce0f42fc973c3bb612f187
SHA256fda7449bb9e80fc00b0703644243da775cc4b7470bb6bdfa261c0eefcd090eaf
SHA512efcff840fc89bd41c46f733edea77ebb56f8f1b8ef79952dc899feccded4e6cc726d1dc76c13e58bbdda5a6619dbeba618bb072c5f5ce77850f1dd31ed1c16bd
-
Filesize
19KB
MD518249bc6924be31669e8e83a692fd001
SHA173eec172b5e6ae31bb5b1a7b317d3a86de25421c
SHA256b4b8f74747350ad9edde6426c7ef975aebcd0f4f04ae23cd5bc6bdb0e9e356a9
SHA512ef0c37782154485517354a461b96717a599ddd0014c77d3638bc31df8f0774caa84f1a9544f91dfc4e98ff62171629e36b80bc7760080e63a7f8bedc5bfde372
-
Filesize
19KB
MD57e9ef8206b0eedff3d1a0359f6106495
SHA1655803346866cffbc93711373e988a0897464642
SHA256d1b173bbc674805a24858f20c69439f415d7258e474478f8c8a9459132c51fe0
SHA5124cab13d0d331636a954e95905ddae1c276f6bc8e5e0c9954a726c7372c0aa823917385a5f20fee8b378a63f07e58bfa7f295b0e0b9424610a28fe1243b58a4f9
-
Filesize
19KB
MD5f720ec365c7caa299cb94d87417ed231
SHA1656db7300255f06efeae759015f9eacb2ae469fb
SHA256e64fea4c20dcda6f38bf2b06c49831441c18a8fb04a61125c63d47b8b1a07402
SHA51213e6f527947f887df1dd17e67caaa310e9abe7b391d58e56d52000a18187397abb80c0f076dac5084970acda69026d42ce4f94b53aba21ae52e02cc3c8d03156
-
Filesize
4.1MB
MD547a2afd8a01fcefc793e5454ee48081d
SHA1b197eecceec80ed8ab4405b84a51d6dc973f52c0
SHA25674716c16f59741280b9b0b795b6bb1b5a14982b205988d9943ba41d3f528bc1a
SHA51234397172680fbace67e0a7a68b684eb6380c683c9af619c64afb2c01008e2a7c3e32a67da01e3cd1338be290db476ca59607543c0e29cda3155ba1d107ec8898
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
68KB
-
Filesize
84KB
-
Filesize
656KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
656KB
-
Filesize
3.3MB
-
Filesize
84KB
-
Filesize
68KB
-
Filesize
42.9MB
-
Filesize
42.9MB
-
Filesize
4.0MB
-
Filesize
42.9MB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
42.9MB
-
Filesize
84KB
-
Filesize
3.3MB
-
Filesize
68KB
-
Filesize
656KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
216KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
656KB
-
Filesize
208KB
-
Filesize
600KB
-
Filesize
280KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
84KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
42.9MB
-
Filesize
42.9MB
-
Filesize
42.9MB
-
Filesize
42.9MB
-
Filesize
42.9MB
-
Filesize
42.9MB
-
Filesize
42.9MB
-
Filesize
42.9MB
-
Filesize
42.9MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
3.3MB