Analysis
-
max time kernel
10s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/05/2024, 19:35
Static task
static1
Behavioral task
behavioral1
Sample
f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe
Resource
win10v2004-20240508-en
General
-
Target
f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe
-
Size
4.1MB
-
MD5
f6156b63d313f7247432a693de39daef
-
SHA1
bff890bf23551db49d04af57779630bea35356a9
-
SHA256
f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620
-
SHA512
54c61e755d5661da14ebfef93b9fa61d02f59fb43edc1310cf21c0780479bc54be973836286f0d5104a946e9d511e94162d38e2a5471f0f386b7b7e396e7f759
-
SSDEEP
98304:dwBco1salv4p8AdbboIKOJLJ1nO5Zld79mTpR:dwqoWyv4yANjKQa7or
Malware Config
Signatures
-
Glupteba payload 17 IoCs
resource yara_rule behavioral2/memory/3868-2-0x0000000005030000-0x000000000591B000-memory.dmp family_glupteba behavioral2/memory/3868-3-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3868-4-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/3868-51-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/3868-75-0x0000000005030000-0x000000000591B000-memory.dmp family_glupteba behavioral2/memory/2716-73-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/2716-124-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/3868-128-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4852-201-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/4852-212-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/4852-215-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/4852-218-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/4852-221-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/4852-224-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/4852-227-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/4852-230-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba behavioral2/memory/4852-233-0x0000000000400000-0x0000000002ED5000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1432 netsh.exe -
resource yara_rule behavioral2/memory/2576-206-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/files/0x000200000002aa2d-207.dat upx behavioral2/memory/2264-209-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2576-210-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2264-213-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2264-219-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1984 sc.exe -
pid Process 1796 powershell.exe 4976 powershell.exe 2784 powershell.exe 2076 powershell.exe 5016 powershell.exe 452 powershell.exe 4084 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3228 schtasks.exe 2960 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe"C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe"1⤵PID:3868
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
PID:4976
-
-
C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe"C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe"2⤵PID:2716
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:2784
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:1772
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1432
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:2076
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
PID:5016
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:4852
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:452
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3228
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:1064
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:4084
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:1752
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2960
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:2576
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:2872
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:1984
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:2264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD50d67f63eb26a3839154567e62f35df91
SHA1ce5d8178483c1c461c2beaea6e3316e78ecca5fe
SHA256677b0135ba5eee59be5bc001e5889c4ed31a91c43a8821be2c2e239d0fc43924
SHA5121369914cf96ac809c9d517ec4536bd616808802ceab445455b8ddd9cac2809be9f9f6f12024787b2bd5347ca0c5f7abbc429019519d46405d4c92d685d66c040
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5948e9498a439f54f2df331073fbd0b3c
SHA1b6b9936be1ab2e1021fa4995f2ab025c2f909bf6
SHA256530ed7e4cbb93a1b465fde50376c7223c387839a97e83a523c1013fdbb1f0d68
SHA512908d090e9364b89cadf4cdb913d9ff8b7cf7bf626254e95dcf47ef92ba949e69adb515d1cf3df80737fe58fc6f11041ed4b87683bf0ca7e513456e296374bb7f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5482678c58e537de220a3de8864f7b59a
SHA16ec6e9f59b6b4ef89981991caad712b613220e53
SHA2565cef02036e555b54d023483bab43e3fa49aa0d4d2640aa12a6ed4a9ae1d7950f
SHA51232b38732fe732020565a144a016c488429ebe0c98a82ff1758fb6c545585fe9bb05e7b56a992eb95cca8e130ba23a7230407b2e88864ec0d7e0840da64cb574e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a94cb31f73f7766455a82898bf2fcf50
SHA1fdd384ea3dacb040073e10769837f931882c8ffd
SHA2563fea4b93919281e21c2cc50de01440fe00c15d4ab1ceaafe1e7debdd98a264ce
SHA512d47fb82260f93f4899572a13d193aa0df7ca16b07d462a59f10e38f64c2461b09021427b2723d015b8d7e6905a0000ba89f97cc1576f6fc1a7240b1f4093d7fb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5b74f6da5c12db03c51dfa34d08c2a64f
SHA187410f6470fb59195a671199844e4860db849a8d
SHA25699c93ad09ea3e02dee462d6d983bc606cb2e24767e598b9155ada96ffe5056a0
SHA5125ad2b8dcef0d25f7095e693b4862fb8cf353cc170a61256823f2a41f39474a04f5f13af30a5aa775f3c180f74dc5b91b6f64999ac54b7b595bc37d4fa95dc703
-
Filesize
4.1MB
MD5f6156b63d313f7247432a693de39daef
SHA1bff890bf23551db49d04af57779630bea35356a9
SHA256f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620
SHA51254c61e755d5661da14ebfef93b9fa61d02f59fb43edc1310cf21c0780479bc54be973836286f0d5104a946e9d511e94162d38e2a5471f0f386b7b7e396e7f759
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec