Analysis
-
max time kernel
4s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
09/05/2024, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b.exe
Resource
win7-20231129-en
General
-
Target
006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b.exe
-
Size
4.2MB
-
MD5
a68826a56e765556cee5ad7b264894e5
-
SHA1
0dc2755a07e6bbb753804496b718caf38e105fc8
-
SHA256
006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b
-
SHA512
d3fe20dd70724704658a45fcfcc436e8f47d791045b010247fd19cf8c0b67bb6c57898f43480881d7a3e42031de167fcb25c6676d9411eebe97885ed230b92ec
-
SSDEEP
98304:Ltf1tz5NXbfgGqQJWdT2WKDCS49PNkp9ciCph:L5z5pY8UY5X4HuQh
Malware Config
Signatures
-
Glupteba payload 32 IoCs
resource yara_rule behavioral2/memory/748-2-0x0000000004F20000-0x000000000580B000-memory.dmp family_glupteba behavioral2/memory/748-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/748-301-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/748-302-0x0000000004F20000-0x000000000580B000-memory.dmp family_glupteba behavioral2/memory/748-299-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/4116-1020-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1743-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1753-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1755-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1757-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1759-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1760-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1763-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1765-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1767-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1768-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1771-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1773-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1775-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1777-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1778-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1781-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1783-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1785-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1786-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1789-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1791-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1793-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1794-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1797-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1799-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba behavioral2/memory/5028-1801-0x0000000000400000-0x0000000002EE3000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 168 netsh.exe -
resource yara_rule behavioral2/files/0x000800000001ac52-1746.dat upx behavioral2/memory/5076-1748-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/5076-1752-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4280-1750-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4280-1754-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4280-1758-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3016 sc.exe -
pid Process 1300 powershell.exe 4732 powershell.exe 1804 powershell.exe 1132 powershell.exe 2516 powershell.exe 2212 powershell.exe 2344 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4992 schtasks.exe 3808 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b.exe"C:\Users\Admin\AppData\Local\Temp\006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b.exe"1⤵PID:748
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
PID:1300
-
-
C:\Users\Admin\AppData\Local\Temp\006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b.exe"C:\Users\Admin\AppData\Local\Temp\006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b.exe"2⤵PID:4116
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:4732
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:2888
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:168
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:1804
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:1132
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:5028
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:2516
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4992
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:3080
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:2212
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:5060
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3808
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:5076
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:2568
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:3016
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:4280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD58b922dd46e1e7a5992f0f2de878d0802
SHA14e648d78c6ad916bbaa07af68a23a0674014b677
SHA256ea458f63a29dc067307a7aeb33c824c842677471e59b05ee1bbc274c69905e8a
SHA5127c1cec6400c130e44dd32a3aecf084d15107212a4cc9ba2eb9f4ba8eaf27450ea927f4e4374763d365ca0f8a1e383652ad15d4dd14266a85b7937be739ddacde
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5e2e6f366cff4910e2096dda1976ad8bb
SHA10cbb0153d3ebf72edc0601fea594536667d79e32
SHA25612321b66a0960abd1fdec3d73955face5349576d44257bff4843fbdc910ffca4
SHA512752ba1ab80edad4ed4b2137fd32184b4724ba33eb43fefd37d6bb81bfd3f88ca96dc7a50a30614de7ba2c2a1cd297875af48db7fc65fbbf0436882dee7f30cca
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5db9d830b8be64841baf2cbcb154ae3ca
SHA170a089ff7f9c763f5393929d96548ce92ef38c48
SHA2569131f598236a6f38308ae34117089ae29d7a891323671092a8e98b994f3a258f
SHA5129a8bd8f40b7b51a6374c90057a707fd779bb5e488b344267b2baa05557c47a847197a7fe31597b55f50ae96e9e61781d2d3ad9bec19d51ec49f8f77d7ac063fd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD57c70b28a9aac970d0d25b55ea58a8e6f
SHA1f4544e4fbf13cc1cccf4122d0996df62b1748e06
SHA256111607d42b8841a7f259f57e749631f1f091cfe4c8ac3f21bb00985b1c237323
SHA512276ea616b43e42a40f6a169168995b3cfc36aab7bc965d8c440c0fb7874165dbb4056f7754aff4239d7852f295a301f44771cb731d69b63fe77f3e3bb4620d0f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD509aad597deeef54cf5500aeb6e8f1932
SHA1ea3f21b5d565d4cd47498abf1c26d7788eae4bc9
SHA2561015d9d36ba5bbed784d5cb789162cb94c875e50f5bde6974cdeec0fafaf9b52
SHA51275a8f1f13394f459000be9a5f600acd57302dc279a6639b99dd132bfa70d55804e7603424a10cc4294a7d1cf249e2400edd01d19768403c63e11385f9a87550c
-
Filesize
4.2MB
MD5a68826a56e765556cee5ad7b264894e5
SHA10dc2755a07e6bbb753804496b718caf38e105fc8
SHA256006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b
SHA512d3fe20dd70724704658a45fcfcc436e8f47d791045b010247fd19cf8c0b67bb6c57898f43480881d7a3e42031de167fcb25c6676d9411eebe97885ed230b92ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec