Analysis
-
max time kernel
7s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
Resource
win10v2004-20240426-en
General
-
Target
3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe
-
Size
4.1MB
-
MD5
ca47016e7d5480bc3619c70abb333de2
-
SHA1
c98ff7b99d19bf951b93e243f4f92a8136b99e31
-
SHA256
3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97
-
SHA512
c18986c42396bfb1b7ea64f7eb5f04d6f50cb737a9f4e6dba435d5023bce17d55402dd82517cff3d7abc5a64ef859d8734fd8765fdd580084a240aba72c4baf8
-
SSDEEP
98304:npLl5dh/cY//0ytMliSDJIrO0tWgVy355J08nZmlsCE:pLlNLHtGNcOLFp5JFwlsCE
Malware Config
Signatures
-
Glupteba payload 16 IoCs
resource yara_rule behavioral1/memory/3360-2-0x0000000004F90000-0x000000000587B000-memory.dmp family_glupteba behavioral1/memory/3360-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3360-67-0x0000000004F90000-0x000000000587B000-memory.dmp family_glupteba behavioral1/memory/3360-138-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/4708-137-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/4884-218-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/4884-233-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/4884-237-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/4884-241-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/4884-245-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/4884-249-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/4884-253-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/4884-257-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/4884-261-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/4884-265-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/4884-269-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4580 netsh.exe -
resource yara_rule behavioral1/memory/1356-226-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/files/0x000a000000022977-224.dat upx behavioral1/memory/1356-230-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4076-229-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/files/0x000a000000022977-227.dat upx behavioral1/memory/4076-234-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4076-242-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4340 sc.exe -
pid Process 992 powershell.exe 5000 powershell.exe 736 powershell.exe 2672 powershell.exe 808 powershell.exe 2204 powershell.exe 3904 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1204 schtasks.exe 4192 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe"C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe"1⤵PID:3360
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
PID:736
-
-
C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe"C:\Users\Admin\AppData\Local\Temp\3cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97.exe"2⤵PID:4708
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:2672
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:4728
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4580
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:808
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:2204
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:4884
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:3904
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1204
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4960
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:992
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:5000
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:3076
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4192
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:1356
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:2356
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:4340
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:4076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5b959f6e05f73f7d76242faf62f028be8
SHA1028261e7be1c09bbfe4fb0bdc1fdfb6dbaf6573e
SHA25684a219dbfca939fa2a2aa92dadbb85da378297e47e9646427ffc94adb0269133
SHA512bfcf23d5cf376e8aaa32ff3f6c7d845b9b23dbae32b046fd5c6d0f69cee85eaa10676a670904a6f6c021dc23ba991692f698681e30f64d6ea506915f1564880f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD556f3b4e6f393975793ed5913550d31af
SHA1d84aa547d78d84ea2cc149294af1bb5599456b12
SHA2561393150e44cb07ce2b8250b6181fe7e96ac241ff10d5b0289472b912ceb65ec5
SHA5122b9ea8c7ecb85cb7f54bd4cd6e7d9301ed2d00ffddd07c1aeb542b8ec27b4011b8db9ca14bd3b9481e2dbd209e4b792c4f7573219818acc7ddbeeb8e6555211e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5e2b7a2b19af13e9bf1c072b4d050b797
SHA1d64c540bab60399fdb3103044acc1cf40651c056
SHA25632198ff10f466498d65d4d7b0187fb241bf1dec8cf06341b277d25aa92902cb4
SHA51262c9e2c71df74ab22fa94e8d88f015de79a9676cb80587c4531bf187a33eaca0de001f0d93a8f3b674aac0543db9b0d94f8fb6760c38c693ad51672ffe757087
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD52da91a285956a6d07dafa21799e836b1
SHA11bafb27aaa095b964d65028b83eab0b8d3c43d11
SHA2567ffbb7ef1404470390548787e01f3304883432f297ee827a40c3c6ae06b1cab7
SHA51230982b04cdc6bb603cbf506cdb2fab4b38131b8ed8e2a3644ec2ac2144d43d14dda64bd7ad06fe9867caaa4aa0d0aa3428e3f7f0da351419f30fc6fc511635e8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5f2e049d8b24256882c91ecf9ba88f506
SHA19aee5be207934dfad4f9ea4426016474d4aa9c25
SHA2568b09dd4268a1769bb450b1d4624e534cdaf1bdca5215eedadd5fefc0db179fef
SHA512ac84b9c24e8a2a87bee87fca6dd49d4e89a69ca420212db4d4a16c7a4950f6246a39ba6d973c237e67e791ac28cb34e5b7e4df8b5e8a39fcf3fc983ec0de95a0
-
Filesize
4.1MB
MD5ca47016e7d5480bc3619c70abb333de2
SHA1c98ff7b99d19bf951b93e243f4f92a8136b99e31
SHA2563cf97320a742f637fbc606acb68ebb6f9ea6470c78fbc0c73e1a111c9c8d4d97
SHA512c18986c42396bfb1b7ea64f7eb5f04d6f50cb737a9f4e6dba435d5023bce17d55402dd82517cff3d7abc5a64ef859d8734fd8765fdd580084a240aba72c4baf8
-
Filesize
448KB
MD5eac3c94e166a4ac3e7d3dbf26d505ebb
SHA1c231e723ad6077f9b6bd12c5e7bd3fd208f7fa45
SHA256662eb9030b85d481e53772eb13a1b747a62bc68a862e0e4ba90f4e6acb3fe124
SHA512b5b0f2d3205ebf43593ae73318cc078b5eafed92be6c8d113cf0e7dbef9f84da759301393b9528ac7f11b2f82dd8a190ad5c2b9066c84afbc1c9fb775fcff1a0
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec