Analysis

  • max time kernel
    4s
  • max time network
    300s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09/05/2024, 22:30

General

  • Target

    006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b.exe

  • Size

    4.2MB

  • MD5

    a68826a56e765556cee5ad7b264894e5

  • SHA1

    0dc2755a07e6bbb753804496b718caf38e105fc8

  • SHA256

    006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b

  • SHA512

    d3fe20dd70724704658a45fcfcc436e8f47d791045b010247fd19cf8c0b67bb6c57898f43480881d7a3e42031de167fcb25c6676d9411eebe97885ed230b92ec

  • SSDEEP

    98304:Ltf1tz5NXbfgGqQJWdT2WKDCS49PNkp9ciCph:L5z5pY8UY5X4HuQh

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 32 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

Processes

  • C:\Users\Admin\AppData\Local\Temp\006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b.exe
    "C:\Users\Admin\AppData\Local\Temp\006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b.exe"
    1⤵
      PID:748
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        2⤵
        • Command and Scripting Interpreter: PowerShell
        PID:1300
      • C:\Users\Admin\AppData\Local\Temp\006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b.exe
        "C:\Users\Admin\AppData\Local\Temp\006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b.exe"
        2⤵
          PID:4116
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            3⤵
            • Command and Scripting Interpreter: PowerShell
            PID:4732
          • C:\Windows\System32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:2888
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                PID:168
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1804
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1132
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe
              3⤵
                PID:5028
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:2516
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  4⤵
                  • Creates scheduled task(s)
                  PID:4992
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /delete /tn ScheduledUpdate /f
                  4⤵
                    PID:3080
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:2212
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:2344
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    4⤵
                      PID:5060
                    • C:\Windows\SYSTEM32\schtasks.exe
                      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                      4⤵
                      • Creates scheduled task(s)
                      PID:3808
                    • C:\Windows\windefender.exe
                      "C:\Windows\windefender.exe"
                      4⤵
                        PID:5076
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                          5⤵
                            PID:2568
                            • C:\Windows\SysWOW64\sc.exe
                              sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                              6⤵
                              • Launches sc.exe
                              PID:3016
                  • C:\Windows\windefender.exe
                    C:\Windows\windefender.exe
                    1⤵
                      PID:4280

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hjd1yxjo.bcg.ps1

                            Filesize

                            1B

                            MD5

                            c4ca4238a0b923820dcc509a6f75849b

                            SHA1

                            356a192b7913b04c54574d18c28d46e6395428ab

                            SHA256

                            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                            SHA512

                            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                            Filesize

                            281KB

                            MD5

                            d98e33b66343e7c96158444127a117f6

                            SHA1

                            bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                            SHA256

                            5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                            SHA512

                            705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                            Filesize

                            2KB

                            MD5

                            1c19c16e21c97ed42d5beabc93391fc5

                            SHA1

                            8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

                            SHA256

                            1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

                            SHA512

                            7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            18KB

                            MD5

                            8b922dd46e1e7a5992f0f2de878d0802

                            SHA1

                            4e648d78c6ad916bbaa07af68a23a0674014b677

                            SHA256

                            ea458f63a29dc067307a7aeb33c824c842677471e59b05ee1bbc274c69905e8a

                            SHA512

                            7c1cec6400c130e44dd32a3aecf084d15107212a4cc9ba2eb9f4ba8eaf27450ea927f4e4374763d365ca0f8a1e383652ad15d4dd14266a85b7937be739ddacde

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            18KB

                            MD5

                            e2e6f366cff4910e2096dda1976ad8bb

                            SHA1

                            0cbb0153d3ebf72edc0601fea594536667d79e32

                            SHA256

                            12321b66a0960abd1fdec3d73955face5349576d44257bff4843fbdc910ffca4

                            SHA512

                            752ba1ab80edad4ed4b2137fd32184b4724ba33eb43fefd37d6bb81bfd3f88ca96dc7a50a30614de7ba2c2a1cd297875af48db7fc65fbbf0436882dee7f30cca

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            18KB

                            MD5

                            db9d830b8be64841baf2cbcb154ae3ca

                            SHA1

                            70a089ff7f9c763f5393929d96548ce92ef38c48

                            SHA256

                            9131f598236a6f38308ae34117089ae29d7a891323671092a8e98b994f3a258f

                            SHA512

                            9a8bd8f40b7b51a6374c90057a707fd779bb5e488b344267b2baa05557c47a847197a7fe31597b55f50ae96e9e61781d2d3ad9bec19d51ec49f8f77d7ac063fd

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            18KB

                            MD5

                            7c70b28a9aac970d0d25b55ea58a8e6f

                            SHA1

                            f4544e4fbf13cc1cccf4122d0996df62b1748e06

                            SHA256

                            111607d42b8841a7f259f57e749631f1f091cfe4c8ac3f21bb00985b1c237323

                            SHA512

                            276ea616b43e42a40f6a169168995b3cfc36aab7bc965d8c440c0fb7874165dbb4056f7754aff4239d7852f295a301f44771cb731d69b63fe77f3e3bb4620d0f

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            18KB

                            MD5

                            09aad597deeef54cf5500aeb6e8f1932

                            SHA1

                            ea3f21b5d565d4cd47498abf1c26d7788eae4bc9

                            SHA256

                            1015d9d36ba5bbed784d5cb789162cb94c875e50f5bde6974cdeec0fafaf9b52

                            SHA512

                            75a8f1f13394f459000be9a5f600acd57302dc279a6639b99dd132bfa70d55804e7603424a10cc4294a7d1cf249e2400edd01d19768403c63e11385f9a87550c

                          • C:\Windows\rss\csrss.exe

                            Filesize

                            4.2MB

                            MD5

                            a68826a56e765556cee5ad7b264894e5

                            SHA1

                            0dc2755a07e6bbb753804496b718caf38e105fc8

                            SHA256

                            006bc8714d9e8c8d040dcb4fa8e299175f1d59b2cddfe84efff157e71dcfda6b

                            SHA512

                            d3fe20dd70724704658a45fcfcc436e8f47d791045b010247fd19cf8c0b67bb6c57898f43480881d7a3e42031de167fcb25c6676d9411eebe97885ed230b92ec

                          • C:\Windows\windefender.exe

                            Filesize

                            2.0MB

                            MD5

                            8e67f58837092385dcf01e8a2b4f5783

                            SHA1

                            012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                            SHA256

                            166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                            SHA512

                            40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                          • memory/748-1-0x0000000003170000-0x0000000003574000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/748-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

                            Filesize

                            9.1MB

                          • memory/748-2-0x0000000004F20000-0x000000000580B000-memory.dmp

                            Filesize

                            8.9MB

                          • memory/748-299-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/748-302-0x0000000004F20000-0x000000000580B000-memory.dmp

                            Filesize

                            8.9MB

                          • memory/748-301-0x0000000000400000-0x0000000000D1C000-memory.dmp

                            Filesize

                            9.1MB

                          • memory/1132-783-0x0000000007B80000-0x0000000007ED0000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/1132-804-0x000000006FD00000-0x0000000070050000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/1132-803-0x000000006FC90000-0x000000006FCDB000-memory.dmp

                            Filesize

                            300KB

                          • memory/1300-275-0x000000000A1C0000-0x000000000A1DA000-memory.dmp

                            Filesize

                            104KB

                          • memory/1300-14-0x0000000007C90000-0x0000000007FE0000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/1300-75-0x000000006FBC0000-0x000000006FF10000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/1300-73-0x000000000A000000-0x000000000A033000-memory.dmp

                            Filesize

                            204KB

                          • memory/1300-280-0x000000000A1B0000-0x000000000A1B8000-memory.dmp

                            Filesize

                            32KB

                          • memory/1300-76-0x0000000009FE0000-0x0000000009FFE000-memory.dmp

                            Filesize

                            120KB

                          • memory/1300-298-0x0000000072E60000-0x000000007354E000-memory.dmp

                            Filesize

                            6.9MB

                          • memory/1300-81-0x000000000A040000-0x000000000A0E5000-memory.dmp

                            Filesize

                            660KB

                          • memory/1300-74-0x000000006FB70000-0x000000006FBBB000-memory.dmp

                            Filesize

                            300KB

                          • memory/1300-66-0x0000000009200000-0x0000000009276000-memory.dmp

                            Filesize

                            472KB

                          • memory/1300-35-0x0000000009140000-0x000000000917C000-memory.dmp

                            Filesize

                            240KB

                          • memory/1300-16-0x00000000080A0000-0x00000000080EB000-memory.dmp

                            Filesize

                            300KB

                          • memory/1300-6-0x0000000072E6E000-0x0000000072E6F000-memory.dmp

                            Filesize

                            4KB

                          • memory/1300-7-0x0000000006BD0000-0x0000000006C06000-memory.dmp

                            Filesize

                            216KB

                          • memory/1300-15-0x0000000008060000-0x000000000807C000-memory.dmp

                            Filesize

                            112KB

                          • memory/1300-82-0x000000000A220000-0x000000000A2B4000-memory.dmp

                            Filesize

                            592KB

                          • memory/1300-13-0x0000000007B20000-0x0000000007B86000-memory.dmp

                            Filesize

                            408KB

                          • memory/1300-10-0x0000000072E60000-0x000000007354E000-memory.dmp

                            Filesize

                            6.9MB

                          • memory/1300-8-0x0000000072E60000-0x000000007354E000-memory.dmp

                            Filesize

                            6.9MB

                          • memory/1300-12-0x00000000079D0000-0x0000000007A36000-memory.dmp

                            Filesize

                            408KB

                          • memory/1300-11-0x00000000072D0000-0x00000000072F2000-memory.dmp

                            Filesize

                            136KB

                          • memory/1300-9-0x0000000007330000-0x0000000007958000-memory.dmp

                            Filesize

                            6.2MB

                          • memory/1804-568-0x000000006FCE0000-0x0000000070030000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/1804-567-0x000000006FC90000-0x000000006FCDB000-memory.dmp

                            Filesize

                            300KB

                          • memory/2212-1284-0x000000006FB40000-0x000000006FB8B000-memory.dmp

                            Filesize

                            300KB

                          • memory/2212-1285-0x000000006FB90000-0x000000006FEE0000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2212-1290-0x0000000009930000-0x00000000099D5000-memory.dmp

                            Filesize

                            660KB

                          • memory/2212-1265-0x0000000008960000-0x00000000089AB000-memory.dmp

                            Filesize

                            300KB

                          • memory/2212-1263-0x0000000007F10000-0x0000000008260000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2344-1525-0x000000006FB90000-0x000000006FEE0000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2344-1524-0x000000006FB40000-0x000000006FB8B000-memory.dmp

                            Filesize

                            300KB

                          • memory/2516-1027-0x0000000008DA0000-0x0000000008DEB000-memory.dmp

                            Filesize

                            300KB

                          • memory/2516-1046-0x000000006FBF0000-0x000000006FC3B000-memory.dmp

                            Filesize

                            300KB

                          • memory/2516-1047-0x000000006FC40000-0x000000006FF90000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2516-1052-0x0000000009DD0000-0x0000000009E75000-memory.dmp

                            Filesize

                            660KB

                          • memory/2516-1025-0x0000000008310000-0x0000000008660000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/4116-1020-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4280-1750-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/4280-1758-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/4280-1754-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/4732-331-0x0000000009860000-0x0000000009905000-memory.dmp

                            Filesize

                            660KB

                          • memory/4732-325-0x000000006FC90000-0x000000006FCDB000-memory.dmp

                            Filesize

                            300KB

                          • memory/4732-326-0x000000006FCE0000-0x0000000070030000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/4732-306-0x0000000008850000-0x000000000889B000-memory.dmp

                            Filesize

                            300KB

                          • memory/4732-305-0x0000000007F00000-0x0000000008250000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/5028-1760-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1777-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1803-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1755-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1757-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1801-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1759-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1743-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1763-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1765-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1767-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1768-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1771-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1773-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1775-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1753-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1778-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1781-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1783-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1785-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1786-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1789-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1791-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1793-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1794-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1797-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5028-1799-0x0000000000400000-0x0000000002EE3000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5076-1748-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/5076-1752-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB