Analysis

  • max time kernel
    15s
  • max time network
    307s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09/05/2024, 23:22

General

  • Target

    acf724e1d60b08a3fcb84fd31ed8827e0e7ffed95acdd67e389d2adc23aaa7d9.exe

  • Size

    4.1MB

  • MD5

    8b0e4b4e65b5528dca8a21749e99ae9a

  • SHA1

    469d535d798f72f04c9050bef1d07cc1140c3e42

  • SHA256

    acf724e1d60b08a3fcb84fd31ed8827e0e7ffed95acdd67e389d2adc23aaa7d9

  • SHA512

    9f3fdc6822ab125f2dd1ff66a5a737a75e3358914bb4e8f9641c3e4ba2c659d638a8db78a444c4ccccc231f5246f785327e6c9285c698544b4cf6106cebdb2f4

  • SSDEEP

    98304:gtOQVOzVP2okCrzGcqr3Il4xEgG4B6nRnzx0Ffjivm9:eOQEwokgzc3IlsEmoRifjf9

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 29 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

Processes

  • C:\Users\Admin\AppData\Local\Temp\acf724e1d60b08a3fcb84fd31ed8827e0e7ffed95acdd67e389d2adc23aaa7d9.exe
    "C:\Users\Admin\AppData\Local\Temp\acf724e1d60b08a3fcb84fd31ed8827e0e7ffed95acdd67e389d2adc23aaa7d9.exe"
    1⤵
      PID:1108
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        2⤵
        • Command and Scripting Interpreter: PowerShell
        PID:3180
      • C:\Users\Admin\AppData\Local\Temp\acf724e1d60b08a3fcb84fd31ed8827e0e7ffed95acdd67e389d2adc23aaa7d9.exe
        "C:\Users\Admin\AppData\Local\Temp\acf724e1d60b08a3fcb84fd31ed8827e0e7ffed95acdd67e389d2adc23aaa7d9.exe"
        2⤵
          PID:4704
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            3⤵
            • Command and Scripting Interpreter: PowerShell
            PID:1528
          • C:\Windows\System32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:2492
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                PID:2628
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:3004
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:5052
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe
              3⤵
                PID:2688
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:4460
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  4⤵
                  • Creates scheduled task(s)
                  PID:1848
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /delete /tn ScheduledUpdate /f
                  4⤵
                    PID:1504
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:2788
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:316
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    4⤵
                      PID:4348
                    • C:\Windows\SYSTEM32\schtasks.exe
                      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                      4⤵
                      • Creates scheduled task(s)
                      PID:3708
                    • C:\Windows\windefender.exe
                      "C:\Windows\windefender.exe"
                      4⤵
                        PID:1900
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                          5⤵
                            PID:2020
                            • C:\Windows\SysWOW64\sc.exe
                              sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                              6⤵
                              • Launches sc.exe
                              PID:2720
                  • C:\Windows\windefender.exe
                    C:\Windows\windefender.exe
                    1⤵
                      PID:4636

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_usvzvatr.5ii.ps1

                            Filesize

                            1B

                            MD5

                            c4ca4238a0b923820dcc509a6f75849b

                            SHA1

                            356a192b7913b04c54574d18c28d46e6395428ab

                            SHA256

                            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                            SHA512

                            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                            Filesize

                            281KB

                            MD5

                            d98e33b66343e7c96158444127a117f6

                            SHA1

                            bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                            SHA256

                            5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                            SHA512

                            705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                            Filesize

                            2KB

                            MD5

                            1c19c16e21c97ed42d5beabc93391fc5

                            SHA1

                            8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

                            SHA256

                            1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

                            SHA512

                            7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            18KB

                            MD5

                            437c2431df8b3abe0cee5bd3603109cb

                            SHA1

                            b5d65b118fb3675b1474b33537c56b8bf7dcfa4e

                            SHA256

                            5b461d6429dc41811b381bbe67a973f137a3dd590fcf4c4b1b0aea4973d6cd79

                            SHA512

                            3ff07380e0b2a1a56ae49f5c76834d6d7f23dfe6cf2b1cd92f9eeb6f3d3dd91f63104e23f53a40f160f2bf59f45dea267c94dba77af08a5bd4957a85adf0395a

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            18KB

                            MD5

                            7220761f971ef2ac2de0549e7209c423

                            SHA1

                            cb74646c37cdc4ca801158fe461a8d5b8460cbb8

                            SHA256

                            5f497dc15ab35352b221eb208a3961a053df6595872827bf912fecb62c7d39a2

                            SHA512

                            318e3d573f29afc72a50036808d8499ed4ccb2a14a67fcf8d3feab2c77174f1826f6988bde953b9bd694c35d228db71b2aa8192554f1d1513101f2bbc740aa79

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            18KB

                            MD5

                            780bff0d4ebab81a42b133391066a893

                            SHA1

                            49d06936d20a12ce46d3b766489d9fd8ee14f4a3

                            SHA256

                            ab63d7f8f3980edeff86bb37a95d87ce4ff16ec3ddb01962d13a55034bcda286

                            SHA512

                            bd4ba54a11c84c25d194acd8edf00a5ab5e9044351f6d4b4618a9eab4991d8e0a7b55bcfb5ac69a5af823cd437ba3bf9d6c243e70be2429241eb9dec8d39399e

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            18KB

                            MD5

                            cd81972dffa3948cf4d5a872fcd70f35

                            SHA1

                            b4820477967f426e0c84c1da50918fd6e7423aa4

                            SHA256

                            1036afb7371169f5c396b457871f9920262653a1c7f62a4bbd83b5095375ce6b

                            SHA512

                            df980b7a9697252435933ac21c017eb78233437b7a645c0bde05af219f0d5d761a7237b1bc2106ea2e67c9d057c4be4b83b5520875cdfe62b434e1a267e0d515

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            18KB

                            MD5

                            47db3cea982daa08a25727f7d20a7a54

                            SHA1

                            8ceae9d3f437c1bfa1285716b9f4b739f9bb5f72

                            SHA256

                            1fc08407cdbb6b182b75a0d7d4efedf638af2fa7254344f2823c81387ca2d775

                            SHA512

                            b5d7ede26c3008a701269dc3286e1895b3045ed48bd21871568b3d5a2349dda6090ea99bb82517c870dba9dbb124866d74177e583d421e5c474ce1ef75581fa4

                          • C:\Windows\windefender.exe

                            Filesize

                            2.0MB

                            MD5

                            8e67f58837092385dcf01e8a2b4f5783

                            SHA1

                            012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                            SHA256

                            166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                            SHA512

                            40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                          • memory/316-1548-0x000000006FFF0000-0x0000000070340000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/316-1547-0x000000006FF80000-0x000000006FFCB000-memory.dmp

                            Filesize

                            300KB

                          • memory/1108-300-0x00000000032E0000-0x00000000036DF000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/1108-301-0x0000000000400000-0x0000000000D1C000-memory.dmp

                            Filesize

                            9.1MB

                          • memory/1108-2-0x0000000004F80000-0x000000000586B000-memory.dmp

                            Filesize

                            8.9MB

                          • memory/1108-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

                            Filesize

                            9.1MB

                          • memory/1108-302-0x0000000004F80000-0x000000000586B000-memory.dmp

                            Filesize

                            8.9MB

                          • memory/1108-1-0x00000000032E0000-0x00000000036DF000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/1108-299-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/1108-81-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/1528-307-0x0000000008360000-0x00000000086B0000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/1528-308-0x0000000008920000-0x000000000896B000-memory.dmp

                            Filesize

                            300KB

                          • memory/1528-331-0x00000000700D0000-0x000000007011B000-memory.dmp

                            Filesize

                            300KB

                          • memory/1528-332-0x0000000070120000-0x0000000070470000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/1528-337-0x0000000009CF0000-0x0000000009D95000-memory.dmp

                            Filesize

                            660KB

                          • memory/1900-1778-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/1900-1775-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/2688-1783-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1528-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1803-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1801-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1779-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1785-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1787-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1789-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1791-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1793-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1795-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1797-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1805-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1807-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1799-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1819-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1809-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1811-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1770-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1813-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1815-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1817-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2688-1781-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2788-1312-0x0000000009160000-0x0000000009205000-memory.dmp

                            Filesize

                            660KB

                          • memory/2788-1307-0x000000006FFF0000-0x0000000070340000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2788-1306-0x000000006FF80000-0x000000006FFCB000-memory.dmp

                            Filesize

                            300KB

                          • memory/2788-1287-0x0000000008130000-0x000000000817B000-memory.dmp

                            Filesize

                            300KB

                          • memory/2788-1285-0x00000000075D0000-0x0000000007920000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/3004-574-0x0000000070120000-0x0000000070470000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/3004-573-0x00000000700D0000-0x000000007011B000-memory.dmp

                            Filesize

                            300KB

                          • memory/3180-280-0x0000000006F70000-0x0000000006F78000-memory.dmp

                            Filesize

                            32KB

                          • memory/3180-65-0x0000000009280000-0x00000000092F6000-memory.dmp

                            Filesize

                            472KB

                          • memory/3180-6-0x00000000732AE000-0x00000000732AF000-memory.dmp

                            Filesize

                            4KB

                          • memory/3180-7-0x0000000006C40000-0x0000000006C76000-memory.dmp

                            Filesize

                            216KB

                          • memory/3180-8-0x00000000732A0000-0x000000007398E000-memory.dmp

                            Filesize

                            6.9MB

                          • memory/3180-9-0x00000000072B0000-0x00000000078D8000-memory.dmp

                            Filesize

                            6.2MB

                          • memory/3180-10-0x0000000007990000-0x00000000079B2000-memory.dmp

                            Filesize

                            136KB

                          • memory/3180-11-0x0000000007A30000-0x0000000007A96000-memory.dmp

                            Filesize

                            408KB

                          • memory/3180-12-0x0000000007AA0000-0x0000000007B06000-memory.dmp

                            Filesize

                            408KB

                          • memory/3180-13-0x0000000007CF0000-0x0000000008040000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/3180-14-0x00000000080E0000-0x00000000080FC000-memory.dmp

                            Filesize

                            112KB

                          • memory/3180-15-0x0000000008150000-0x000000000819B000-memory.dmp

                            Filesize

                            300KB

                          • memory/3180-34-0x00000000091C0000-0x00000000091FC000-memory.dmp

                            Filesize

                            240KB

                          • memory/3180-72-0x000000000A080000-0x000000000A0B3000-memory.dmp

                            Filesize

                            204KB

                          • memory/3180-73-0x000000006FFB0000-0x000000006FFFB000-memory.dmp

                            Filesize

                            300KB

                          • memory/3180-74-0x0000000070000000-0x0000000070350000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/3180-75-0x000000000A060000-0x000000000A07E000-memory.dmp

                            Filesize

                            120KB

                          • memory/3180-80-0x000000000A0C0000-0x000000000A165000-memory.dmp

                            Filesize

                            660KB

                          • memory/3180-298-0x00000000732A0000-0x000000007398E000-memory.dmp

                            Filesize

                            6.9MB

                          • memory/3180-275-0x0000000006F80000-0x0000000006F9A000-memory.dmp

                            Filesize

                            104KB

                          • memory/3180-82-0x000000000A2A0000-0x000000000A334000-memory.dmp

                            Filesize

                            592KB

                          • memory/4460-1070-0x0000000009570000-0x0000000009615000-memory.dmp

                            Filesize

                            660KB

                          • memory/4460-1064-0x0000000070030000-0x000000007007B000-memory.dmp

                            Filesize

                            300KB

                          • memory/4460-1045-0x0000000008540000-0x000000000858B000-memory.dmp

                            Filesize

                            300KB

                          • memory/4460-1065-0x0000000070080000-0x00000000703D0000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/4460-1043-0x0000000007C80000-0x0000000007FD0000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/4636-1784-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/4636-1780-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/4636-1790-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/4636-1777-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/4704-1038-0x0000000003070000-0x0000000003093000-memory.dmp

                            Filesize

                            140KB

                          • memory/4704-1034-0x0000000003070000-0x0000000003093000-memory.dmp

                            Filesize

                            140KB

                          • memory/4704-1027-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4704-1035-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4704-323-0x0000000000400000-0x0000000002EE2000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4704-326-0x0000000003070000-0x0000000003093000-memory.dmp

                            Filesize

                            140KB

                          • memory/4704-303-0x0000000002EF0000-0x0000000002F9E000-memory.dmp

                            Filesize

                            696KB

                          • memory/5052-814-0x0000000070140000-0x0000000070490000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/5052-813-0x00000000700D0000-0x000000007011B000-memory.dmp

                            Filesize

                            300KB

                          • memory/5052-793-0x0000000007CC0000-0x0000000008010000-memory.dmp

                            Filesize

                            3.3MB