Analysis

  • max time kernel
    10s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/05/2024, 19:35

General

  • Target

    f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe

  • Size

    4.1MB

  • MD5

    f6156b63d313f7247432a693de39daef

  • SHA1

    bff890bf23551db49d04af57779630bea35356a9

  • SHA256

    f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620

  • SHA512

    54c61e755d5661da14ebfef93b9fa61d02f59fb43edc1310cf21c0780479bc54be973836286f0d5104a946e9d511e94162d38e2a5471f0f386b7b7e396e7f759

  • SSDEEP

    98304:dwBco1salv4p8AdbboIKOJLJ1nO5Zld79mTpR:dwqoWyv4yANjKQa7or

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 17 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

Processes

  • C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe
    "C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe"
    1⤵
      PID:3868
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        2⤵
        • Command and Scripting Interpreter: PowerShell
        PID:4976
      • C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe
        "C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe"
        2⤵
          PID:2716
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            3⤵
            • Command and Scripting Interpreter: PowerShell
            PID:2784
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:1772
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                PID:1432
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:2076
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              3⤵
              • Command and Scripting Interpreter: PowerShell
              PID:5016
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe
              3⤵
                PID:4852
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:452
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  4⤵
                  • Creates scheduled task(s)
                  PID:3228
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /delete /tn ScheduledUpdate /f
                  4⤵
                    PID:1064
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:4084
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:1796
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    4⤵
                      PID:1752
                    • C:\Windows\SYSTEM32\schtasks.exe
                      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                      4⤵
                      • Creates scheduled task(s)
                      PID:2960
                    • C:\Windows\windefender.exe
                      "C:\Windows\windefender.exe"
                      4⤵
                        PID:2576
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                          5⤵
                            PID:2872
                            • C:\Windows\SysWOW64\sc.exe
                              sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                              6⤵
                              • Launches sc.exe
                              PID:1984
                  • C:\Windows\windefender.exe
                    C:\Windows\windefender.exe
                    1⤵
                      PID:2264

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n1ij2an2.f5g.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                            Filesize

                            281KB

                            MD5

                            d98e33b66343e7c96158444127a117f6

                            SHA1

                            bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                            SHA256

                            5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                            SHA512

                            705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                            Filesize

                            2KB

                            MD5

                            ac4917a885cf6050b1a483e4bc4d2ea5

                            SHA1

                            b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

                            SHA256

                            e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

                            SHA512

                            092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            0d67f63eb26a3839154567e62f35df91

                            SHA1

                            ce5d8178483c1c461c2beaea6e3316e78ecca5fe

                            SHA256

                            677b0135ba5eee59be5bc001e5889c4ed31a91c43a8821be2c2e239d0fc43924

                            SHA512

                            1369914cf96ac809c9d517ec4536bd616808802ceab445455b8ddd9cac2809be9f9f6f12024787b2bd5347ca0c5f7abbc429019519d46405d4c92d685d66c040

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            948e9498a439f54f2df331073fbd0b3c

                            SHA1

                            b6b9936be1ab2e1021fa4995f2ab025c2f909bf6

                            SHA256

                            530ed7e4cbb93a1b465fde50376c7223c387839a97e83a523c1013fdbb1f0d68

                            SHA512

                            908d090e9364b89cadf4cdb913d9ff8b7cf7bf626254e95dcf47ef92ba949e69adb515d1cf3df80737fe58fc6f11041ed4b87683bf0ca7e513456e296374bb7f

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            482678c58e537de220a3de8864f7b59a

                            SHA1

                            6ec6e9f59b6b4ef89981991caad712b613220e53

                            SHA256

                            5cef02036e555b54d023483bab43e3fa49aa0d4d2640aa12a6ed4a9ae1d7950f

                            SHA512

                            32b38732fe732020565a144a016c488429ebe0c98a82ff1758fb6c545585fe9bb05e7b56a992eb95cca8e130ba23a7230407b2e88864ec0d7e0840da64cb574e

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            a94cb31f73f7766455a82898bf2fcf50

                            SHA1

                            fdd384ea3dacb040073e10769837f931882c8ffd

                            SHA256

                            3fea4b93919281e21c2cc50de01440fe00c15d4ab1ceaafe1e7debdd98a264ce

                            SHA512

                            d47fb82260f93f4899572a13d193aa0df7ca16b07d462a59f10e38f64c2461b09021427b2723d015b8d7e6905a0000ba89f97cc1576f6fc1a7240b1f4093d7fb

                          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Filesize

                            19KB

                            MD5

                            b74f6da5c12db03c51dfa34d08c2a64f

                            SHA1

                            87410f6470fb59195a671199844e4860db849a8d

                            SHA256

                            99c93ad09ea3e02dee462d6d983bc606cb2e24767e598b9155ada96ffe5056a0

                            SHA512

                            5ad2b8dcef0d25f7095e693b4862fb8cf353cc170a61256823f2a41f39474a04f5f13af30a5aa775f3c180f74dc5b91b6f64999ac54b7b595bc37d4fa95dc703

                          • C:\Windows\rss\csrss.exe

                            Filesize

                            4.1MB

                            MD5

                            f6156b63d313f7247432a693de39daef

                            SHA1

                            bff890bf23551db49d04af57779630bea35356a9

                            SHA256

                            f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620

                            SHA512

                            54c61e755d5661da14ebfef93b9fa61d02f59fb43edc1310cf21c0780479bc54be973836286f0d5104a946e9d511e94162d38e2a5471f0f386b7b7e396e7f759

                          • C:\Windows\windefender.exe

                            Filesize

                            2.0MB

                            MD5

                            8e67f58837092385dcf01e8a2b4f5783

                            SHA1

                            012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                            SHA256

                            166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                            SHA512

                            40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                          • memory/452-140-0x0000000070400000-0x0000000070757000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/452-139-0x0000000070280000-0x00000000702CC000-memory.dmp

                            Filesize

                            304KB

                          • memory/1796-184-0x00000000701A0000-0x00000000701EC000-memory.dmp

                            Filesize

                            304KB

                          • memory/1796-185-0x0000000070340000-0x0000000070697000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2076-85-0x0000000005500000-0x0000000005857000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2076-90-0x0000000070280000-0x00000000702CC000-memory.dmp

                            Filesize

                            304KB

                          • memory/2076-91-0x00000000704D0000-0x0000000070827000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2264-213-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/2264-209-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/2264-219-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/2576-206-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/2576-210-0x0000000000400000-0x00000000008DF000-memory.dmp

                            Filesize

                            4.9MB

                          • memory/2716-73-0x0000000000400000-0x0000000002ED5000-memory.dmp

                            Filesize

                            42.8MB

                          • memory/2716-124-0x0000000000400000-0x0000000002ED5000-memory.dmp

                            Filesize

                            42.8MB

                          • memory/2784-60-0x0000000005880000-0x0000000005BD7000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2784-72-0x0000000007380000-0x0000000007391000-memory.dmp

                            Filesize

                            68KB

                          • memory/2784-61-0x0000000070280000-0x00000000702CC000-memory.dmp

                            Filesize

                            304KB

                          • memory/2784-71-0x0000000007050000-0x00000000070F4000-memory.dmp

                            Filesize

                            656KB

                          • memory/2784-62-0x0000000070430000-0x0000000070787000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/2784-76-0x00000000073D0000-0x00000000073E5000-memory.dmp

                            Filesize

                            84KB

                          • memory/3868-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

                            Filesize

                            9.1MB

                          • memory/3868-75-0x0000000005030000-0x000000000591B000-memory.dmp

                            Filesize

                            8.9MB

                          • memory/3868-51-0x0000000000400000-0x0000000002ED5000-memory.dmp

                            Filesize

                            42.8MB

                          • memory/3868-1-0x0000000003210000-0x0000000003610000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/3868-2-0x0000000005030000-0x000000000591B000-memory.dmp

                            Filesize

                            8.9MB

                          • memory/3868-74-0x0000000003210000-0x0000000003610000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/3868-4-0x0000000000400000-0x0000000002ED5000-memory.dmp

                            Filesize

                            42.8MB

                          • memory/3868-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

                            Filesize

                            9.1MB

                          • memory/4084-172-0x0000000007E50000-0x0000000007E61000-memory.dmp

                            Filesize

                            68KB

                          • memory/4084-173-0x0000000006320000-0x0000000006335000-memory.dmp

                            Filesize

                            84KB

                          • memory/4084-160-0x0000000006DE0000-0x0000000006E2C000-memory.dmp

                            Filesize

                            304KB

                          • memory/4084-171-0x0000000007B30000-0x0000000007BD4000-memory.dmp

                            Filesize

                            656KB

                          • memory/4084-162-0x0000000070340000-0x0000000070697000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/4084-158-0x0000000006370000-0x00000000066C7000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/4084-161-0x00000000701A0000-0x00000000701EC000-memory.dmp

                            Filesize

                            304KB

                          • memory/4852-227-0x0000000000400000-0x0000000002ED5000-memory.dmp

                            Filesize

                            42.8MB

                          • memory/4852-218-0x0000000000400000-0x0000000002ED5000-memory.dmp

                            Filesize

                            42.8MB

                          • memory/4852-215-0x0000000000400000-0x0000000002ED5000-memory.dmp

                            Filesize

                            42.8MB

                          • memory/4852-212-0x0000000000400000-0x0000000002ED5000-memory.dmp

                            Filesize

                            42.8MB

                          • memory/4852-201-0x0000000000400000-0x0000000002ED5000-memory.dmp

                            Filesize

                            42.8MB

                          • memory/4852-221-0x0000000000400000-0x0000000002ED5000-memory.dmp

                            Filesize

                            42.8MB

                          • memory/4852-224-0x0000000000400000-0x0000000002ED5000-memory.dmp

                            Filesize

                            42.8MB

                          • memory/4852-230-0x0000000000400000-0x0000000002ED5000-memory.dmp

                            Filesize

                            42.8MB

                          • memory/4852-233-0x0000000000400000-0x0000000002ED5000-memory.dmp

                            Filesize

                            42.8MB

                          • memory/4852-236-0x0000000000400000-0x0000000002ED5000-memory.dmp

                            Filesize

                            42.8MB

                          • memory/4976-40-0x00000000074F0000-0x00000000074FA000-memory.dmp

                            Filesize

                            40KB

                          • memory/4976-9-0x0000000074010000-0x00000000747C1000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/4976-24-0x0000000006470000-0x00000000064B6000-memory.dmp

                            Filesize

                            280KB

                          • memory/4976-36-0x0000000007360000-0x000000000737E000-memory.dmp

                            Filesize

                            120KB

                          • memory/4976-27-0x0000000070400000-0x0000000070757000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/4976-38-0x0000000007AF0000-0x000000000816A000-memory.dmp

                            Filesize

                            6.5MB

                          • memory/4976-39-0x00000000074B0000-0x00000000074CA000-memory.dmp

                            Filesize

                            104KB

                          • memory/4976-23-0x0000000005F90000-0x0000000005FDC000-memory.dmp

                            Filesize

                            304KB

                          • memory/4976-49-0x0000000074010000-0x00000000747C1000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/4976-22-0x0000000005F00000-0x0000000005F1E000-memory.dmp

                            Filesize

                            120KB

                          • memory/4976-21-0x0000000005AE0000-0x0000000005E37000-memory.dmp

                            Filesize

                            3.3MB

                          • memory/4976-12-0x0000000005980000-0x00000000059E6000-memory.dmp

                            Filesize

                            408KB

                          • memory/4976-11-0x0000000005910000-0x0000000005976000-memory.dmp

                            Filesize

                            408KB

                          • memory/4976-46-0x00000000075E0000-0x00000000075E8000-memory.dmp

                            Filesize

                            32KB

                          • memory/4976-10-0x0000000005040000-0x0000000005062000-memory.dmp

                            Filesize

                            136KB

                          • memory/4976-37-0x0000000007380000-0x0000000007424000-memory.dmp

                            Filesize

                            656KB

                          • memory/4976-7-0x0000000074010000-0x00000000747C1000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/4976-8-0x00000000052E0000-0x000000000590A000-memory.dmp

                            Filesize

                            6.2MB

                          • memory/4976-45-0x00000000075C0000-0x00000000075DA000-memory.dmp

                            Filesize

                            104KB

                          • memory/4976-6-0x00000000026C0000-0x00000000026F6000-memory.dmp

                            Filesize

                            216KB

                          • memory/4976-26-0x0000000070280000-0x00000000702CC000-memory.dmp

                            Filesize

                            304KB

                          • memory/4976-25-0x0000000007300000-0x0000000007334000-memory.dmp

                            Filesize

                            208KB

                          • memory/4976-5-0x000000007401E000-0x000000007401F000-memory.dmp

                            Filesize

                            4KB

                          • memory/4976-41-0x0000000007600000-0x0000000007696000-memory.dmp

                            Filesize

                            600KB

                          • memory/4976-42-0x0000000007510000-0x0000000007521000-memory.dmp

                            Filesize

                            68KB

                          • memory/4976-43-0x0000000007560000-0x000000000756E000-memory.dmp

                            Filesize

                            56KB

                          • memory/4976-44-0x0000000007570000-0x0000000007585000-memory.dmp

                            Filesize

                            84KB

                          • memory/5016-110-0x0000000070280000-0x00000000702CC000-memory.dmp

                            Filesize

                            304KB

                          • memory/5016-111-0x0000000070400000-0x0000000070757000-memory.dmp

                            Filesize

                            3.3MB