Analysis
-
max time kernel
12s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/05/2024, 19:28
Static task
static1
Behavioral task
behavioral1
Sample
eeb8433e8ea2b93bff79946650ba4c20d18a8b1f5fa357680f6f690d59e9484e.exe
Resource
win10v2004-20240508-en
General
-
Target
eeb8433e8ea2b93bff79946650ba4c20d18a8b1f5fa357680f6f690d59e9484e.exe
-
Size
4.1MB
-
MD5
46037805a06c7829deb38acc16a8a71e
-
SHA1
826d302a240e6cfb4d865150eb833e2fb195e09d
-
SHA256
eeb8433e8ea2b93bff79946650ba4c20d18a8b1f5fa357680f6f690d59e9484e
-
SHA512
942e362d82f1a6f53f09e3800c64c557bc54778d29bf6f8166d63c8440b1aaa8604bf9e73f8270c4f754079fa8cb7a02d5f1e9dcc20fa0b21bd17429f383bc8f
-
SSDEEP
98304:VwBco1salv4p8AdbboIKOJLJ1nO5Zld79mTpy:VwqoWyv4yANjKQa7oU
Malware Config
Signatures
-
Glupteba payload 18 IoCs
resource yara_rule behavioral2/memory/3024-2-0x0000000005030000-0x000000000591B000-memory.dmp family_glupteba behavioral2/memory/3024-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3024-45-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/3024-53-0x0000000005030000-0x000000000591B000-memory.dmp family_glupteba behavioral2/memory/3024-51-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/3024-75-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/2896-126-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/2548-151-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/2548-204-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/2548-213-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/2548-216-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/2548-219-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/2548-222-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/2548-225-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/2548-228-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/2548-231-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/2548-234-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/2548-237-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2864 netsh.exe -
resource yara_rule behavioral2/memory/1440-209-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/files/0x000200000002aa1b-208.dat upx behavioral2/memory/1440-211-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4328-214-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4328-220-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5044 sc.exe -
pid Process 1100 powershell.exe 2084 powershell.exe 904 powershell.exe 4188 powershell.exe 3664 powershell.exe 1660 powershell.exe 2140 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3164 schtasks.exe 2488 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 904 powershell.exe 904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 904 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3024 wrote to memory of 904 3024 eeb8433e8ea2b93bff79946650ba4c20d18a8b1f5fa357680f6f690d59e9484e.exe 83 PID 3024 wrote to memory of 904 3024 eeb8433e8ea2b93bff79946650ba4c20d18a8b1f5fa357680f6f690d59e9484e.exe 83 PID 3024 wrote to memory of 904 3024 eeb8433e8ea2b93bff79946650ba4c20d18a8b1f5fa357680f6f690d59e9484e.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeb8433e8ea2b93bff79946650ba4c20d18a8b1f5fa357680f6f690d59e9484e.exe"C:\Users\Admin\AppData\Local\Temp\eeb8433e8ea2b93bff79946650ba4c20d18a8b1f5fa357680f6f690d59e9484e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Users\Admin\AppData\Local\Temp\eeb8433e8ea2b93bff79946650ba4c20d18a8b1f5fa357680f6f690d59e9484e.exe"C:\Users\Admin\AppData\Local\Temp\eeb8433e8ea2b93bff79946650ba4c20d18a8b1f5fa357680f6f690d59e9484e.exe"2⤵PID:2896
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:4188
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:3852
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2864
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:3664
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:1660
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:2548
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:2140
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3164
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:3912
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:1100
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:2084
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:936
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2488
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:1440
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:4988
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:5044
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:4328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD53dcbb6df70404f7255d4e56178f23b9b
SHA1354bdde9cd2f7093c0fc43a53f20ffb9bea47a6a
SHA2562c65935b9aadac08ea5edb880c62563ebc6ca13b01e262bf1520dba1225790c1
SHA51218adf0b8dfd6668a68b34eae4f71df82f2de77e8dff353803596acee9f221c4e76c78b3ea6db7ec3a263499e788034df369305e87d62cf7bc96795dfaa583329
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5cd40db2af3080e46dcf35f72ffa30848
SHA1591332512b805bc67b707d1f2f52ce58e7bdc16a
SHA25623cce8a07295ddc3e7867300424ce40620af02c778966c4f78ba08950c827a00
SHA51233491523ac3fe487bbc87a60704e1c82f32f7290697d5d9c8af4f100afa8aee534481215227f933b76ac2f48d46551808ae98ee7901d8ea28ae09bbf1f531c73
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c36adf6fa1eeb88d4b1ed3971f82214d
SHA1261735aeaeecbe2f82ab93b0bb49635a33da3e92
SHA256e0ff593427178192c55e38476f3f7b395fd9a682fbf3c9f6c715938b33b84b70
SHA512264753b5b9e45af82b492556ea2aa874b7a41c81810b316fc8721c14f531cdc42b7a469fd9f6e6abb6b0dcf3d5e9e05c50b92ff0c47a041b7b3edeb1ef770443
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5dffbe841e6800b6de96792f83c4fb21e
SHA1162c80dbb87d36eccacc14b1647e9986a749cf6f
SHA2569f7440af47958385af8455d1934571c3f592b733398487dfc8a80ba0dd447eea
SHA512a09a0d2b3ea15575a8e066d773ca720752047bb0dd0058fa036cc499998c3ef1c028f6e89c52a8313b68ee4331e9a57fc91fe6aa0301e9f548ac8f2db21d4f80
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5847cca837a682a31a4a08ad796bd64ca
SHA10435607f2dddb35656f42bad47c87c700a7d42a7
SHA2561af9f13b631929468df518499e127de3738864dafb250515194af7e86305e4c5
SHA512bdb57ef9548ae9c3323321e8f4061c8f520a5393898e87c0e2ea35bf8ec541c99110c128cce5b132b31a6a1478baaf01b61b93a2eed27cdeed64a9063ac94aa4
-
Filesize
4.1MB
MD546037805a06c7829deb38acc16a8a71e
SHA1826d302a240e6cfb4d865150eb833e2fb195e09d
SHA256eeb8433e8ea2b93bff79946650ba4c20d18a8b1f5fa357680f6f690d59e9484e
SHA512942e362d82f1a6f53f09e3800c64c557bc54778d29bf6f8166d63c8440b1aaa8604bf9e73f8270c4f754079fa8cb7a02d5f1e9dcc20fa0b21bd17429f383bc8f
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec