Analysis

  • max time kernel
    7s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 19:23

General

  • Target

    3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe

  • Size

    4.1MB

  • MD5

    ca47016e7d5480bc3619c70abb333de2

  • SHA1

    c98ff7b99d19bf951b93e243f4f92a8136b99e31

  • SHA256

    3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97

  • SHA512

    c18986c42396bfb1b7ea64f7eb5f04d6f50cb737a9f4e6dba435d5023bce17d55402dd82517cff3d7abc5a64ef859d8734fd8765fdd580084a240aba72c4baf8

  • SSDEEP

    98304:npLl5dh/cY//0ytMliSDJIrO0tWgVy355J08nZmlsCE:pLlNLHtGNcOLFp5JFwlsCE

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 16 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
    "C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe"
    1⤵
      PID:3360
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        2⤵
        • Command and Scripting Interpreter: PowerShell
        PID:736
      • C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
        "C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe"
        2⤵
          PID:4708
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            3⤵
            • Command and Scripting Interpreter: PowerShell
            PID:2672
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:4728
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                PID:4580
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:808
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:2204
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe
              3⤵
                PID:4884
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:3904
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  4⤵
                  • Creates scheduled task(s)
                  PID:1204
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /delete /tn ScheduledUpdate /f
                  4⤵
                    PID:4960
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:992
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:5000
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    4⤵
                      PID:3076
                    • C:\Windows\SYSTEM32\schtasks.exe
                      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                      4⤵
                      • Creates scheduled task(s)
                      PID:4192
                    • C:\Windows\windefender.exe
                      "C:\Windows\windefender.exe"
                      4⤵
                        PID:1356
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                          5⤵
                            PID:2356
                            • C:\Windows\SysWOW64\sc.exe
                              sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                              6⤵
                              • Launches sc.exe
                              PID:4340
                  • C:\Windows\windefender.exe
                    C:\Windows\windefender.exe
                    1⤵
                      PID:4076

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2n3bvcdo.ksp.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                            Filesize

                            281KB

                            MD5

                            d98e33b66343e7c96158444127a117f6

                            SHA1

                            bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                            SHA256

                            5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                            SHA512

                            705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                            Filesize

                            2KB

                            MD5

                            968cb9309758126772781b83adb8a28f

                            SHA1

                            8da30e71accf186b2ba11da1797cf67f8f78b47c

                            SHA256

                            92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                            SHA512

                            4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            b959f6e05f73f7d76242faf62f028be8

                            SHA1

                            028261e7be1c09bbfe4fb0bdc1fdfb6dbaf6573e

                            SHA256

                            84a219dbfca939fa2a2aa92dadbb85da378297e47e9646427ffc94adb0269133

                            SHA512

                            bfcf23d5cf376e8aaa32ff3f6c7d845b9b23dbae32b046fd5c6d0f69cee85eaa10676a670904a6f6c021dc23ba991692f698681e30f64d6ea506915f1564880f

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            56f3b4e6f393975793ed5913550d31af

                            SHA1

                            d84aa547d78d84ea2cc149294af1bb5599456b12

                            SHA256

                            1393150e44cb07ce2b8250b6181fe7e96ac241ff10d5b0289472b912ceb65ec5

                            SHA512

                            2b9ea8c7ecb85cb7f54bd4cd6e7d9301ed2d00ffddd07c1aeb542b8ec27b4011b8db9ca14bd3b9481e2dbd209e4b792c4f7573219818acc7ddbeeb8e6555211e

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            e2b7a2b19af13e9bf1c072b4d050b797

                            SHA1

                            d64c540bab60399fdb3103044acc1cf40651c056

                            SHA256

                            32198ff10f466498d65d4d7b0187fb241bf1dec8cf06341b277d25aa92902cb4

                            SHA512

                            62c9e2c71df74ab22fa94e8d88f015de79a9676cb80587c4531bf187a33eaca0de001f0d93a8f3b674aac0543db9b0d94f8fb6760c38c693ad51672ffe757087

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            2da91a285956a6d07dafa21799e836b1

                            SHA1

                            1bafb27aaa095b964d65028b83eab0b8d3c43d11

                            SHA256

                            7ffbb7ef1404470390548787e01f3304883432f297ee827a40c3c6ae06b1cab7

                            SHA512

                            30982b04cdc6bb603cbf506cdb2fab4b38131b8ed8e2a3644ec2ac2144d43d14dda64bd7ad06fe9867caaa4aa0d0aa3428e3f7f0da351419f30fc6fc511635e8

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            f2e049d8b24256882c91ecf9ba88f506

                            SHA1

                            9aee5be207934dfad4f9ea4426016474d4aa9c25

                            SHA256

                            8b09dd4268a1769bb450b1d4624e534cdaf1bdca5215eedadd5fefc0db179fef

                            SHA512

                            ac84b9c24e8a2a87bee87fca6dd49d4e89a69ca420212db4d4a16c7a4950f6246a39ba6d973c237e67e791ac28cb34e5b7e4df8b5e8a39fcf3fc983ec0de95a0

                          • C:\Windows\rss\csrss.exe

                            Filesize

                            4.1MB

                            MD5

                            ca47016e7d5480bc3619c70abb333de2

                            SHA1

                            c98ff7b99d19bf951b93e243f4f92a8136b99e31

                            SHA256

                            3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97

                            SHA512

                            c18986c42396bfb1b7ea64f7eb5f04d6f50cb737a9f4e6dba435d5023bce17d55402dd82517cff3d7abc5a64ef859d8734fd8765fdd580084a240aba72c4baf8

                          • C:\Windows\windefender.exe

                            Filesize

                            448KB

                            MD5

                            eac3c94e166a4ac3e7d3dbf26d505ebb

                            SHA1

                            c231e723ad6077f9b6bd12c5e7bd3fd208f7fa45

                            SHA256

                            662eb9030b85d481e53772eb13a1b747a62bc68a862e0e4ba90f4e6acb3fe124

                            SHA512

                            b5b0f2d3205ebf43593ae73318cc078b5eafed92be6c8d113cf0e7dbef9f84da759301393b9528ac7f11b2f82dd8a190ad5c2b9066c84afbc1c9fb775fcff1a0

                          • C:\Windows\windefender.exe

                            Filesize

                            2.0MB

                            MD5

                            8e67f58837092385dcf01e8a2b4f5783

                            SHA1

                            012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                            SHA256

                            166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                            SHA512

                            40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                          • memory/736-42-0x0000000007470000-0x0000000007513000-memory.dmp

                            Filesize

                            652KB

                          • memory/736-28-0x0000000007410000-0x0000000007442000-memory.dmp

                            Filesize

                            200KB

                          • memory/736-22-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

                            Filesize

                            120KB

                          • memory/736-23-0x0000000005ED0000-0x0000000005F1C000-memory.dmp

                            Filesize

                            304KB

                          • memory/736-24-0x0000000006E70000-0x0000000006EB4000-memory.dmp

                            Filesize

                            272KB

                          • memory/736-25-0x00000000071D0000-0x0000000007246000-memory.dmp

                            Filesize

                            472KB

                          • memory/736-27-0x0000000007250000-0x000000000726A000-memory.dmp

                            Filesize

                            104KB

                          • memory/736-26-0x00000000078D0000-0x0000000007F4A000-memory.dmp

                            Filesize

                            6.5MB

                          • memory/736-41-0x0000000007450000-0x000000000746E000-memory.dmp

                            Filesize

                            120KB

                          • memory/736-44-0x0000000074840000-0x0000000074FF0000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/736-43-0x0000000007560000-0x000000000756A000-memory.dmp

                            Filesize

                            40KB

                          • memory/736-8-0x0000000074840000-0x0000000074FF0000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/736-31-0x0000000070E60000-0x00000000711B4000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/736-45-0x0000000007620000-0x00000000076B6000-memory.dmp

                            Filesize

                            600KB

                          • memory/736-30-0x0000000074840000-0x0000000074FF0000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/736-46-0x0000000007580000-0x0000000007591000-memory.dmp

                            Filesize

                            68KB

                          • memory/736-29-0x00000000706E0000-0x000000007072C000-memory.dmp

                            Filesize

                            304KB

                          • memory/736-10-0x0000000005690000-0x00000000056F6000-memory.dmp

                            Filesize

                            408KB

                          • memory/736-47-0x00000000075C0000-0x00000000075CE000-memory.dmp

                            Filesize

                            56KB

                          • memory/736-50-0x0000000007600000-0x0000000007608000-memory.dmp

                            Filesize

                            32KB

                          • memory/736-49-0x00000000076C0000-0x00000000076DA000-memory.dmp

                            Filesize

                            104KB

                          • memory/736-48-0x00000000075D0000-0x00000000075E4000-memory.dmp

                            Filesize

                            80KB

                          • memory/736-53-0x0000000074840000-0x0000000074FF0000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/736-21-0x00000000058E0000-0x0000000005C34000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/736-4-0x000000007484E000-0x000000007484F000-memory.dmp

                            Filesize

                            4KB

                          • memory/736-5-0x00000000048B0000-0x00000000048E6000-memory.dmp

                            Filesize

                            216KB

                          • memory/736-7-0x0000000074840000-0x0000000074FF0000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/736-9-0x0000000004EF0000-0x0000000004F12000-memory.dmp

                            Filesize

                            136KB

                          • memory/736-11-0x0000000005870000-0x00000000058D6000-memory.dmp

                            Filesize

                            408KB

                          • memory/736-6-0x0000000005060000-0x0000000005688000-memory.dmp

                            Filesize

                            6.2MB

                          • memory/808-94-0x0000000005FB0000-0x0000000006304000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/808-97-0x0000000070860000-0x0000000070BB4000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/808-96-0x00000000706E0000-0x000000007072C000-memory.dmp

                            Filesize

                            304KB

                          • memory/992-172-0x0000000006980000-0x00000000069CC000-memory.dmp

                            Filesize

                            304KB

                          • memory/992-184-0x0000000007860000-0x0000000007903000-memory.dmp

                            Filesize

                            652KB

                          • memory/992-174-0x0000000070D90000-0x00000000710E4000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/992-173-0x0000000070600000-0x000000007064C000-memory.dmp

                            Filesize

                            304KB

                          • memory/992-185-0x0000000007B80000-0x0000000007B91000-memory.dmp

                            Filesize

                            68KB

                          • memory/992-186-0x00000000063F0000-0x0000000006404000-memory.dmp

                            Filesize

                            80KB

                          • memory/992-161-0x0000000005F00000-0x0000000006254000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/1356-226-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/1356-230-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/2204-120-0x0000000071110000-0x0000000071464000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2204-119-0x00000000706E0000-0x000000007072C000-memory.dmp

                            Filesize

                            304KB

                          • memory/2204-117-0x0000000005E90000-0x00000000061E4000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2672-68-0x00000000706E0000-0x000000007072C000-memory.dmp

                            Filesize

                            304KB

                          • memory/2672-65-0x0000000005D10000-0x0000000006064000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2672-69-0x0000000070B00000-0x0000000070E54000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2672-79-0x00000000075B0000-0x0000000007653000-memory.dmp

                            Filesize

                            652KB

                          • memory/2672-81-0x0000000007910000-0x0000000007924000-memory.dmp

                            Filesize

                            80KB

                          • memory/2672-80-0x00000000078C0000-0x00000000078D1000-memory.dmp

                            Filesize

                            68KB

                          • memory/3360-55-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/3360-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

                            Filesize

                            9.1MB

                          • memory/3360-66-0x00000000031F0000-0x00000000035F0000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/3360-67-0x0000000004F90000-0x000000000587B000-memory.dmp

                            Filesize

                            8.9MB

                          • memory/3360-2-0x0000000004F90000-0x000000000587B000-memory.dmp

                            Filesize

                            8.9MB

                          • memory/3360-1-0x00000000031F0000-0x00000000035F0000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/3360-138-0x0000000000400000-0x0000000000D1C000-memory.dmp

                            Filesize

                            9.1MB

                          • memory/3904-150-0x0000000070860000-0x0000000070BB4000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/3904-149-0x00000000706E0000-0x000000007072C000-memory.dmp

                            Filesize

                            304KB

                          • memory/4076-242-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/4076-229-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/4076-234-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/4708-137-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4884-237-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4884-241-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4884-269-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4884-225-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4884-233-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4884-218-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4884-265-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4884-261-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4884-245-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4884-249-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4884-253-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4884-257-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/5000-199-0x0000000070600000-0x000000007064C000-memory.dmp

                            Filesize

                            304KB

                          • memory/5000-197-0x00000000056F0000-0x0000000005A44000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/5000-200-0x0000000070790000-0x0000000070AE4000-memory.dmp

                            Filesize

                            3.3MB