Analysis

  • max time kernel
    7s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 19:23

General

  • Target

    82ec490209e440b75b8729df3f23ec13e5bf639fed95ef52d125f4def5c1d645.exe

  • Size

    4.1MB

  • MD5

    a94bdea39ad931b2d20f3fb7b81fbb9d

  • SHA1

    3ae3bd6c1420a904f8101e903d5d65d410b716a0

  • SHA256

    82ec490209e440b75b8729df3f23ec13e5bf639fed95ef52d125f4def5c1d645

  • SHA512

    81390d7163bf56511042e6db3c60a5b6173fc78266ed4623739981d52b3999c2f827970984c6f6ca94062053f328d4d09df8dac8c7226c629839e254693cfb2b

  • SSDEEP

    98304:/pLl5dh/cY//0ytMliSDJIrO0tWgVy355J08nZmlsCb:hLlNLHtGNcOLFp5JFwlsCb

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 7 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

Processes

  • C:\Users\Admin\AppData\Local\Temp\82ec490209e440b75b8729df3f23ec13e5bf639fed95ef52d125f4def5c1d645.exe
    "C:\Users\Admin\AppData\Local\Temp\82ec490209e440b75b8729df3f23ec13e5bf639fed95ef52d125f4def5c1d645.exe"
    1⤵
      PID:2892
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        2⤵
        • Command and Scripting Interpreter: PowerShell
        PID:3176
      • C:\Users\Admin\AppData\Local\Temp\82ec490209e440b75b8729df3f23ec13e5bf639fed95ef52d125f4def5c1d645.exe
        "C:\Users\Admin\AppData\Local\Temp\82ec490209e440b75b8729df3f23ec13e5bf639fed95ef52d125f4def5c1d645.exe"
        2⤵
          PID:3536
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            3⤵
            • Command and Scripting Interpreter: PowerShell
            PID:1832
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:4004
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                PID:3500
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:2012
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4192
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe
              3⤵
                PID:3968
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:4412
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  4⤵
                  • Creates scheduled task(s)
                  PID:3428
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /delete /tn ScheduledUpdate /f
                  4⤵
                    PID:1264
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:4028
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:1832
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    4⤵
                      PID:1464
                    • C:\Windows\SYSTEM32\schtasks.exe
                      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                      4⤵
                      • Creates scheduled task(s)
                      PID:5028
                    • C:\Windows\windefender.exe
                      "C:\Windows\windefender.exe"
                      4⤵
                        PID:1104
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                          5⤵
                            PID:4756
                            • C:\Windows\SysWOW64\sc.exe
                              sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                              6⤵
                              • Launches sc.exe
                              PID:4720
                  • C:\Windows\windefender.exe
                    C:\Windows\windefender.exe
                    1⤵
                      PID:4460

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jsn0fey3.h4q.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                            Filesize

                            281KB

                            MD5

                            d98e33b66343e7c96158444127a117f6

                            SHA1

                            bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                            SHA256

                            5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                            SHA512

                            705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                            Filesize

                            2KB

                            MD5

                            968cb9309758126772781b83adb8a28f

                            SHA1

                            8da30e71accf186b2ba11da1797cf67f8f78b47c

                            SHA256

                            92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                            SHA512

                            4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            34a860a95d96323aca13fd05316d08ec

                            SHA1

                            2cebcfec58cca16b78fb9519b7c559d5f4283b21

                            SHA256

                            a0459c2527146f6a2f1573f51d8950c7c297bdc933599d9235d5dc7360a4e986

                            SHA512

                            ab9da432c185235e37a7c887ddb347e3c5cdba09e282418defcf4e1ed7a0f628b45fab39f3d3a966baf9317b907c0e4574a58981ee4b1e53a75ea88fee91d6bc

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            7b06b8a61b9ecd561c79dda1dfce1a4b

                            SHA1

                            98a8a94e3ef7014cfd7844c49b60d6a9a32032bd

                            SHA256

                            316f77cf61016316fdd7d08b6229f8bd2a73e3a3f32ea6e49b33da336f439b70

                            SHA512

                            2deafafb59c7c00217f6e91a93977010219a21a06540edab8b2b2675c537454e4a13c39760e5c3d54e6319385723dcce21bcef953d13fa005a3ec7c9e335af63

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            e3f72977501452031cf542f7361bf33f

                            SHA1

                            d1b9f678d59060695e325a3c5b47098c51da9167

                            SHA256

                            b2ff907a44b0b760232b9faab204678520a958287f7a92e9efceca60bc660ebc

                            SHA512

                            9c805fdb3669fb650205e37309c2e8ed6fbb1012aecdc7fef5c9545701a4e52297c00cddd9d1524d45dee223724dab1c22f113097600d64a9b101650138fbf79

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            9c913beb79103436b66eb26b00b4d110

                            SHA1

                            6c398e6c77b6c42484566f91bbb7b7e43ddcd56e

                            SHA256

                            d9a9bcc02aeec8ea668c9219b8988e56afda3151200d52aa32e52ffa6c1dcad2

                            SHA512

                            5050db46256649d5ea52723ed623bd1b2e722e9def4ebebbc52f79be56e869dac12ab47b3a7e9d2c515371f7348a31bb47ef113e3b1fb53e14448d6dbab1f50a

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            4a39b112795933210d1bfdd3b905015e

                            SHA1

                            85b01580cb966ddb93d6263aa38a8d9f8c6218a7

                            SHA256

                            70cfe33a780aa66c002a42484bf0f7ac8acd0d486e127835ba254e338797d6b6

                            SHA512

                            25a1197761d97d5f87e650aae1228dee5ef8d120603bc0be7a2832a10c554c1212a1f5db35b9ac34c12ab52eb4402fd21d36ddd8bade34557b502b3e1c19bf94

                          • C:\Windows\rss\csrss.exe

                            Filesize

                            2.1MB

                            MD5

                            a0814c8da0e8f80cc3c44dcb41ebcc4c

                            SHA1

                            3dec92c21d72ca8bb7788b2e83a904d71c7bb6dd

                            SHA256

                            5818a0eb8cf41d24c4384107fc5d7cf97ceb5bbb9a58187df59a7ebc76f97d74

                            SHA512

                            20dbb2b8c58645e4df32dc7af4127516c659d5b532ecc64b15f241d67006593b0d0fc9bd249133c1fe7d2472c5e78472cfd47e9cbe197914118c63d4ed4169ee

                          • C:\Windows\rss\csrss.exe

                            Filesize

                            1.2MB

                            MD5

                            13601d284c696fcfefea0644c5f53a2f

                            SHA1

                            81fffae64c0628eee6e051dca34ae36b18348abe

                            SHA256

                            e80de3abcc6f1547f7229991e111a1d78838fb87e78cc97b70889ce1f39a0a47

                            SHA512

                            1e44cfd59536c879761cb7b12880897a4a8cafc88bfb4db693534fc52d8c471df4612fe692587de7822160bf93cf50c0e98a24d46b43ba60c1edb0a477714b10

                          • C:\Windows\windefender.exe

                            Filesize

                            2.0MB

                            MD5

                            8e67f58837092385dcf01e8a2b4f5783

                            SHA1

                            012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                            SHA256

                            166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                            SHA512

                            40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                          • memory/1104-227-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/1104-230-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/1832-201-0x0000000070550000-0x00000000708A4000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/1832-200-0x000000006FDC0000-0x000000006FE0C000-memory.dmp

                            Filesize

                            304KB

                          • memory/1832-198-0x0000000006410000-0x0000000006764000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/1832-65-0x0000000005E90000-0x00000000061E4000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/1832-81-0x0000000007A90000-0x0000000007AA4000-memory.dmp

                            Filesize

                            80KB

                          • memory/1832-80-0x0000000007A40000-0x0000000007A51000-memory.dmp

                            Filesize

                            68KB

                          • memory/1832-68-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

                            Filesize

                            304KB

                          • memory/1832-69-0x0000000070290000-0x00000000705E4000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/1832-79-0x0000000007730000-0x00000000077D3000-memory.dmp

                            Filesize

                            652KB

                          • memory/2012-96-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

                            Filesize

                            304KB

                          • memory/2012-97-0x0000000070650000-0x00000000709A4000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2012-94-0x00000000056E0000-0x0000000005A34000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2892-55-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/2892-2-0x0000000005030000-0x000000000591B000-memory.dmp

                            Filesize

                            8.9MB

                          • memory/2892-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

                            Filesize

                            9.1MB

                          • memory/2892-138-0x0000000000400000-0x0000000000D1C000-memory.dmp

                            Filesize

                            9.1MB

                          • memory/2892-1-0x0000000003290000-0x000000000368C000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/2892-67-0x0000000005030000-0x000000000591B000-memory.dmp

                            Filesize

                            8.9MB

                          • memory/2892-66-0x0000000003290000-0x000000000368C000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/3176-5-0x0000000003290000-0x00000000032C6000-memory.dmp

                            Filesize

                            216KB

                          • memory/3176-40-0x0000000007E40000-0x0000000007E5E000-memory.dmp

                            Filesize

                            120KB

                          • memory/3176-48-0x0000000007FC0000-0x0000000007FD4000-memory.dmp

                            Filesize

                            80KB

                          • memory/3176-45-0x0000000008010000-0x00000000080A6000-memory.dmp

                            Filesize

                            600KB

                          • memory/3176-50-0x0000000008000000-0x0000000008008000-memory.dmp

                            Filesize

                            32KB

                          • memory/3176-49-0x00000000080B0000-0x00000000080CA000-memory.dmp

                            Filesize

                            104KB

                          • memory/3176-44-0x0000000074000000-0x00000000747B0000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/3176-43-0x0000000007F50000-0x0000000007F5A000-memory.dmp

                            Filesize

                            40KB

                          • memory/3176-42-0x0000000007E60000-0x0000000007F03000-memory.dmp

                            Filesize

                            652KB

                          • memory/3176-26-0x00000000082B0000-0x000000000892A000-memory.dmp

                            Filesize

                            6.5MB

                          • memory/3176-27-0x0000000007C50000-0x0000000007C6A000-memory.dmp

                            Filesize

                            104KB

                          • memory/3176-25-0x0000000007BB0000-0x0000000007C26000-memory.dmp

                            Filesize

                            472KB

                          • memory/3176-47-0x0000000007FB0000-0x0000000007FBE000-memory.dmp

                            Filesize

                            56KB

                          • memory/3176-24-0x0000000006DF0000-0x0000000006E34000-memory.dmp

                            Filesize

                            272KB

                          • memory/3176-28-0x0000000007E00000-0x0000000007E32000-memory.dmp

                            Filesize

                            200KB

                          • memory/3176-29-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

                            Filesize

                            304KB

                          • memory/3176-46-0x0000000007F70000-0x0000000007F81000-memory.dmp

                            Filesize

                            68KB

                          • memory/3176-23-0x00000000068D0000-0x000000000691C000-memory.dmp

                            Filesize

                            304KB

                          • memory/3176-53-0x0000000074000000-0x00000000747B0000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/3176-41-0x0000000074000000-0x00000000747B0000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/3176-22-0x0000000006880000-0x000000000689E000-memory.dmp

                            Filesize

                            120KB

                          • memory/3176-10-0x0000000005A50000-0x0000000005AB6000-memory.dmp

                            Filesize

                            408KB

                          • memory/3176-30-0x0000000070450000-0x00000000707A4000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/3176-4-0x000000007400E000-0x000000007400F000-memory.dmp

                            Filesize

                            4KB

                          • memory/3176-7-0x0000000074000000-0x00000000747B0000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/3176-21-0x00000000062F0000-0x0000000006644000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/3176-6-0x0000000005CC0000-0x00000000062E8000-memory.dmp

                            Filesize

                            6.2MB

                          • memory/3176-8-0x0000000074000000-0x00000000747B0000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/3176-9-0x00000000059A0000-0x00000000059C2000-memory.dmp

                            Filesize

                            136KB

                          • memory/3176-11-0x0000000005BF0000-0x0000000005C56000-memory.dmp

                            Filesize

                            408KB

                          • memory/3536-137-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/3968-241-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/3968-245-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/3968-237-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/3968-233-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/3968-257-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/3968-253-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/3968-269-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/3968-265-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/3968-261-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/3968-226-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/3968-219-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/3968-249-0x0000000000400000-0x0000000002EDD000-memory.dmp

                            Filesize

                            42.9MB

                          • memory/4028-171-0x0000000005A40000-0x0000000005D94000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/4028-175-0x000000006FF40000-0x0000000070294000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/4028-185-0x0000000007190000-0x0000000007233000-memory.dmp

                            Filesize

                            652KB

                          • memory/4028-187-0x0000000005A00000-0x0000000005A14000-memory.dmp

                            Filesize

                            80KB

                          • memory/4028-173-0x00000000064B0000-0x00000000064FC000-memory.dmp

                            Filesize

                            304KB

                          • memory/4028-186-0x00000000074A0000-0x00000000074B1000-memory.dmp

                            Filesize

                            68KB

                          • memory/4028-174-0x000000006FDC0000-0x000000006FE0C000-memory.dmp

                            Filesize

                            304KB

                          • memory/4192-119-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

                            Filesize

                            304KB

                          • memory/4192-113-0x0000000005E70000-0x00000000061C4000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/4192-120-0x0000000070620000-0x0000000070974000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/4412-148-0x0000000005480000-0x00000000057D4000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/4412-151-0x0000000070470000-0x00000000707C4000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/4412-150-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

                            Filesize

                            304KB

                          • memory/4460-254-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/4460-229-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/4460-242-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/4460-234-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB