Analysis
-
max time kernel
7s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
82ec490209e440b75b8729df3f23ec13e5bf639fed95ef52d125f4def5c1d645.exe
Resource
win10v2004-20240426-en
General
-
Target
82ec490209e440b75b8729df3f23ec13e5bf639fed95ef52d125f4def5c1d645.exe
-
Size
4.1MB
-
MD5
a94bdea39ad931b2d20f3fb7b81fbb9d
-
SHA1
3ae3bd6c1420a904f8101e903d5d65d410b716a0
-
SHA256
82ec490209e440b75b8729df3f23ec13e5bf639fed95ef52d125f4def5c1d645
-
SHA512
81390d7163bf56511042e6db3c60a5b6173fc78266ed4623739981d52b3999c2f827970984c6f6ca94062053f328d4d09df8dac8c7226c629839e254693cfb2b
-
SSDEEP
98304:/pLl5dh/cY//0ytMliSDJIrO0tWgVy355J08nZmlsCb:hLlNLHtGNcOLFp5JFwlsCb
Malware Config
Signatures
-
Glupteba payload 7 IoCs
resource yara_rule behavioral1/memory/2892-2-0x0000000005030000-0x000000000591B000-memory.dmp family_glupteba behavioral1/memory/2892-55-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/3968-219-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/3968-257-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/3968-261-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/3968-265-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba behavioral1/memory/3968-269-0x0000000000400000-0x0000000002EDD000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3500 netsh.exe -
resource yara_rule behavioral1/files/0x0009000000023478-224.dat upx behavioral1/memory/1104-227-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/1104-230-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4460-229-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4460-234-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4460-242-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/4460-254-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4720 sc.exe -
pid Process 4412 powershell.exe 4028 powershell.exe 1832 powershell.exe 3176 powershell.exe 1832 powershell.exe 2012 powershell.exe 4192 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3428 schtasks.exe 5028 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\82ec490209e440b75b8729df3f23ec13e5bf639fed95ef52d125f4def5c1d645.exe"C:\Users\Admin\AppData\Local\Temp\82ec490209e440b75b8729df3f23ec13e5bf639fed95ef52d125f4def5c1d645.exe"1⤵PID:2892
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
PID:3176
-
-
C:\Users\Admin\AppData\Local\Temp\82ec490209e440b75b8729df3f23ec13e5bf639fed95ef52d125f4def5c1d645.exe"C:\Users\Admin\AppData\Local\Temp\82ec490209e440b75b8729df3f23ec13e5bf639fed95ef52d125f4def5c1d645.exe"2⤵PID:3536
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:1832
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:4004
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3500
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:2012
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:4192
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:3968
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:4412
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3428
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:1264
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:4028
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:1832
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:1464
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:5028
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:1104
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:4756
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:4720
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:4460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD534a860a95d96323aca13fd05316d08ec
SHA12cebcfec58cca16b78fb9519b7c559d5f4283b21
SHA256a0459c2527146f6a2f1573f51d8950c7c297bdc933599d9235d5dc7360a4e986
SHA512ab9da432c185235e37a7c887ddb347e3c5cdba09e282418defcf4e1ed7a0f628b45fab39f3d3a966baf9317b907c0e4574a58981ee4b1e53a75ea88fee91d6bc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57b06b8a61b9ecd561c79dda1dfce1a4b
SHA198a8a94e3ef7014cfd7844c49b60d6a9a32032bd
SHA256316f77cf61016316fdd7d08b6229f8bd2a73e3a3f32ea6e49b33da336f439b70
SHA5122deafafb59c7c00217f6e91a93977010219a21a06540edab8b2b2675c537454e4a13c39760e5c3d54e6319385723dcce21bcef953d13fa005a3ec7c9e335af63
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5e3f72977501452031cf542f7361bf33f
SHA1d1b9f678d59060695e325a3c5b47098c51da9167
SHA256b2ff907a44b0b760232b9faab204678520a958287f7a92e9efceca60bc660ebc
SHA5129c805fdb3669fb650205e37309c2e8ed6fbb1012aecdc7fef5c9545701a4e52297c00cddd9d1524d45dee223724dab1c22f113097600d64a9b101650138fbf79
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD59c913beb79103436b66eb26b00b4d110
SHA16c398e6c77b6c42484566f91bbb7b7e43ddcd56e
SHA256d9a9bcc02aeec8ea668c9219b8988e56afda3151200d52aa32e52ffa6c1dcad2
SHA5125050db46256649d5ea52723ed623bd1b2e722e9def4ebebbc52f79be56e869dac12ab47b3a7e9d2c515371f7348a31bb47ef113e3b1fb53e14448d6dbab1f50a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD54a39b112795933210d1bfdd3b905015e
SHA185b01580cb966ddb93d6263aa38a8d9f8c6218a7
SHA25670cfe33a780aa66c002a42484bf0f7ac8acd0d486e127835ba254e338797d6b6
SHA51225a1197761d97d5f87e650aae1228dee5ef8d120603bc0be7a2832a10c554c1212a1f5db35b9ac34c12ab52eb4402fd21d36ddd8bade34557b502b3e1c19bf94
-
Filesize
2.1MB
MD5a0814c8da0e8f80cc3c44dcb41ebcc4c
SHA13dec92c21d72ca8bb7788b2e83a904d71c7bb6dd
SHA2565818a0eb8cf41d24c4384107fc5d7cf97ceb5bbb9a58187df59a7ebc76f97d74
SHA51220dbb2b8c58645e4df32dc7af4127516c659d5b532ecc64b15f241d67006593b0d0fc9bd249133c1fe7d2472c5e78472cfd47e9cbe197914118c63d4ed4169ee
-
Filesize
1.2MB
MD513601d284c696fcfefea0644c5f53a2f
SHA181fffae64c0628eee6e051dca34ae36b18348abe
SHA256e80de3abcc6f1547f7229991e111a1d78838fb87e78cc97b70889ce1f39a0a47
SHA5121e44cfd59536c879761cb7b12880897a4a8cafc88bfb4db693534fc52d8c471df4612fe692587de7822160bf93cf50c0e98a24d46b43ba60c1edb0a477714b10
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec