Analysis

  • max time kernel
    148s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 19:28

General

  • Target

    44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe

  • Size

    4.1MB

  • MD5

    efe81e338f7ac4d981457b0ee8e23851

  • SHA1

    d485c50537711e84d05c5a9523a414a4f6860873

  • SHA256

    44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a

  • SHA512

    4a55eb64f5cb8ddc0ec002236011403e6df865a6fa1b4db2f6a809b11c8bb2aa9d6a37ee767009683e217253a47f7b0ef3226e91961804c63cd54a24c7c44259

  • SSDEEP

    98304:VwBco1salv4p8AdbboIKOJLJ1nO5Zld79mTpi:VwqoWyv4yANjKQa7oE

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 12 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe
    "C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4076
    • C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe
      "C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:716
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4976
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3672
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:4772
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4868
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1128
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4844
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2368
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2864
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3856
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Command and Scripting Interpreter: PowerShell
            PID:3140
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1924

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzir1j2x.t0m.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

              Filesize

              2KB

              MD5

              3d086a433708053f9bf9523e1d87a4e8

              SHA1

              b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

              SHA256

              6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

              SHA512

              931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

              Filesize

              19KB

              MD5

              a940a8b94856dc02e5b1b799a0bff7ab

              SHA1

              cb9b2a3c0603d128a11e5208ea024e71912c2bec

              SHA256

              381482a854430a21cb7792979a125f209f10110946b2a5dc857a15163517fc45

              SHA512

              97bd315d18c2d0d2140d8de0952c02d25479e2fe847ad38df97f35788a76588f49fd7b36a42888bdb56cab02c6423ca931918b5063cb3f78d9557608c64dc827

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

              Filesize

              19KB

              MD5

              f5b1c71050a4e21f95dbb13fc318f147

              SHA1

              93fa7e24890bbfd14110d5bc719dddbe723904c1

              SHA256

              9ecbfe0dc379a548617de341cd75152ed9f58ed6006ab438f33a3c681d0ebaae

              SHA512

              11e9481f5392fcfb60cedc4c956c8ea9e64263c48933fc0b52cbd1d488e3fa9f348b164562c13a96fae38f112554aa55cca405fa93ec21f95b77449b3285e7a3

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

              Filesize

              19KB

              MD5

              514a5123f245939d0899bf042fec86f8

              SHA1

              2198b220fa20b44a8f0ab3686c590d255c741f0e

              SHA256

              32a3ee1a910d1c9302cbec21be0b4c2e9da97712c334295da56a6dfe24d719b0

              SHA512

              7708d904465271edbb136c223540b5fee28c07bca24875d54822afa05a2b3f20b9dcdded323e219d9acc4ce01d47cb879920fc6430cebc4b10f5faf6580871b4

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

              Filesize

              19KB

              MD5

              962ab2cf5b2a42fa9f9806c6738bcd53

              SHA1

              5a86bab41913f2bcac60d0d5b781eadf3df2e755

              SHA256

              fafe29316923a6fc8d43b48bb0cd79310d4aa1d3274ae1dab7463bef2c7533e6

              SHA512

              844141c5257d4ef043d13d0c030209a72767f66f06490b1d328106fc793ee46fd8d41eaf4565a70ebabc45222ebe846986e0963a1f109c33cbcdf8a73db01b70

            • C:\Windows\rss\csrss.exe

              Filesize

              4.1MB

              MD5

              efe81e338f7ac4d981457b0ee8e23851

              SHA1

              d485c50537711e84d05c5a9523a414a4f6860873

              SHA256

              44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a

              SHA512

              4a55eb64f5cb8ddc0ec002236011403e6df865a6fa1b4db2f6a809b11c8bb2aa9d6a37ee767009683e217253a47f7b0ef3226e91961804c63cd54a24c7c44259

            • memory/716-92-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

            • memory/716-147-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

            • memory/716-128-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

            • memory/1128-129-0x00000000703E0000-0x000000007042C000-memory.dmp

              Filesize

              304KB

            • memory/1128-126-0x0000000005920000-0x0000000005C74000-memory.dmp

              Filesize

              3.3MB

            • memory/1128-130-0x0000000070580000-0x00000000708D4000-memory.dmp

              Filesize

              3.3MB

            • memory/2368-165-0x0000000070560000-0x00000000708B4000-memory.dmp

              Filesize

              3.3MB

            • memory/2368-164-0x00000000703E0000-0x000000007042C000-memory.dmp

              Filesize

              304KB

            • memory/3140-201-0x0000000007D00000-0x0000000007D11000-memory.dmp

              Filesize

              68KB

            • memory/3140-182-0x0000000006230000-0x0000000006584000-memory.dmp

              Filesize

              3.3MB

            • memory/3140-202-0x00000000066F0000-0x0000000006704000-memory.dmp

              Filesize

              80KB

            • memory/3140-190-0x0000000070AB0000-0x0000000070E04000-memory.dmp

              Filesize

              3.3MB

            • memory/3140-188-0x0000000006960000-0x00000000069AC000-memory.dmp

              Filesize

              304KB

            • memory/3140-200-0x0000000007B40000-0x0000000007BE3000-memory.dmp

              Filesize

              652KB

            • memory/3140-189-0x0000000070300000-0x000000007034C000-memory.dmp

              Filesize

              304KB

            • memory/4068-25-0x0000000003240000-0x000000000363D000-memory.dmp

              Filesize

              4.0MB

            • memory/4068-33-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

            • memory/4068-32-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

            • memory/4068-27-0x0000000004FE0000-0x00000000058CB000-memory.dmp

              Filesize

              8.9MB

            • memory/4068-1-0x0000000003240000-0x000000000363D000-memory.dmp

              Filesize

              4.0MB

            • memory/4068-53-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

            • memory/4068-9-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

            • memory/4068-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

            • memory/4068-2-0x0000000004FE0000-0x00000000058CB000-memory.dmp

              Filesize

              8.9MB

            • memory/4068-63-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

            • memory/4076-26-0x00000000065C0000-0x0000000006604000-memory.dmp

              Filesize

              272KB

            • memory/4076-48-0x00000000075A0000-0x0000000007643000-memory.dmp

              Filesize

              652KB

            • memory/4076-52-0x0000000007200000-0x0000000007211000-memory.dmp

              Filesize

              68KB

            • memory/4076-54-0x00000000076F0000-0x00000000076FE000-memory.dmp

              Filesize

              56KB

            • memory/4076-55-0x0000000074540000-0x0000000074CF0000-memory.dmp

              Filesize

              7.7MB

            • memory/4076-50-0x000000007454E000-0x000000007454F000-memory.dmp

              Filesize

              4KB

            • memory/4076-56-0x0000000007700000-0x0000000007714000-memory.dmp

              Filesize

              80KB

            • memory/4076-57-0x0000000007800000-0x000000000781A000-memory.dmp

              Filesize

              104KB

            • memory/4076-58-0x00000000077E0000-0x00000000077E8000-memory.dmp

              Filesize

              32KB

            • memory/4076-61-0x0000000074540000-0x0000000074CF0000-memory.dmp

              Filesize

              7.7MB

            • memory/4076-49-0x0000000007690000-0x000000000769A000-memory.dmp

              Filesize

              40KB

            • memory/4076-4-0x000000007454E000-0x000000007454F000-memory.dmp

              Filesize

              4KB

            • memory/4076-5-0x0000000002940000-0x0000000002976000-memory.dmp

              Filesize

              216KB

            • memory/4076-6-0x0000000074540000-0x0000000074CF0000-memory.dmp

              Filesize

              7.7MB

            • memory/4076-7-0x0000000074540000-0x0000000074CF0000-memory.dmp

              Filesize

              7.7MB

            • memory/4076-8-0x00000000050F0000-0x0000000005718000-memory.dmp

              Filesize

              6.2MB

            • memory/4076-10-0x0000000004E80000-0x0000000004EA2000-memory.dmp

              Filesize

              136KB

            • memory/4076-14-0x0000000005900000-0x0000000005966000-memory.dmp

              Filesize

              408KB

            • memory/4076-47-0x0000000007540000-0x000000000755E000-memory.dmp

              Filesize

              120KB

            • memory/4076-37-0x0000000070560000-0x00000000708B4000-memory.dmp

              Filesize

              3.3MB

            • memory/4076-11-0x0000000005890000-0x00000000058F6000-memory.dmp

              Filesize

              408KB

            • memory/4076-51-0x0000000007740000-0x00000000077D6000-memory.dmp

              Filesize

              600KB

            • memory/4076-35-0x00000000703E0000-0x000000007042C000-memory.dmp

              Filesize

              304KB

            • memory/4076-36-0x0000000074540000-0x0000000074CF0000-memory.dmp

              Filesize

              7.7MB

            • memory/4076-34-0x0000000007560000-0x0000000007592000-memory.dmp

              Filesize

              200KB

            • memory/4076-31-0x0000000007380000-0x000000000739A000-memory.dmp

              Filesize

              104KB

            • memory/4076-30-0x00000000079C0000-0x000000000803A000-memory.dmp

              Filesize

              6.5MB

            • memory/4076-29-0x0000000007260000-0x00000000072D6000-memory.dmp

              Filesize

              472KB

            • memory/4076-28-0x0000000074540000-0x0000000074CF0000-memory.dmp

              Filesize

              7.7MB

            • memory/4076-24-0x0000000006010000-0x000000000605C000-memory.dmp

              Filesize

              304KB

            • memory/4076-23-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

              Filesize

              120KB

            • memory/4076-22-0x0000000005AB0000-0x0000000005E04000-memory.dmp

              Filesize

              3.3MB

            • memory/4844-163-0x0000000000400000-0x0000000002ED5000-memory.dmp

              Filesize

              42.8MB

            • memory/4868-106-0x0000000070B60000-0x0000000070EB4000-memory.dmp

              Filesize

              3.3MB

            • memory/4868-105-0x00000000703E0000-0x000000007042C000-memory.dmp

              Filesize

              304KB

            • memory/4976-89-0x0000000007840000-0x0000000007854000-memory.dmp

              Filesize

              80KB

            • memory/4976-88-0x00000000077D0000-0x00000000077E1000-memory.dmp

              Filesize

              68KB

            • memory/4976-87-0x00000000074C0000-0x0000000007563000-memory.dmp

              Filesize

              652KB

            • memory/4976-77-0x0000000070B60000-0x0000000070EB4000-memory.dmp

              Filesize

              3.3MB

            • memory/4976-76-0x00000000703E0000-0x000000007042C000-memory.dmp

              Filesize

              304KB

            • memory/4976-66-0x0000000005C40000-0x0000000005F94000-memory.dmp

              Filesize

              3.3MB