Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
11-05-2024 08:56
General
-
Target
fbd77d36c7d320b073f57d0d68ebcb0b8b364d16c15e6d000ad2af6a93d0e235.exe
-
Size
4.1MB
-
MD5
a26e41302d8ead6781666b8f579b8877
-
SHA1
4b8fe1eb5bdc0b5fa79ddde8883aff2047d24788
-
SHA256
fbd77d36c7d320b073f57d0d68ebcb0b8b364d16c15e6d000ad2af6a93d0e235
-
SHA512
303d504e7297e15dc71814bf95e1b20dbde9b985d6f4c93a9b444030db6a054d437b9c53c7718fdac4ab22c0c719d8acbf93a56fdcd5637fa7b8158508d50cc6
-
SSDEEP
98304:4ErTbmYqgZ1XudKeC70JrifsEkbyxLCxltfr4Ppsv6xaCIZ:bD1Z1UwAUfrk2xOxPr4PpsvyaCIZ
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 19 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Using powershell.exe command.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbd77d36c7d320b073f57d0d68ebcb0b8b364d16c15e6d000ad2af6a93d0e235.exe"C:\Users\Admin\AppData\Local\Temp\fbd77d36c7d320b073f57d0d68ebcb0b8b364d16c15e6d000ad2af6a93d0e235.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\fbd77d36c7d320b073f57d0d68ebcb0b8b364d16c15e6d000ad2af6a93d0e235.exe"C:\Users\Admin\AppData\Local\Temp\fbd77d36c7d320b073f57d0d68ebcb0b8b364d16c15e6d000ad2af6a93d0e235.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idfbnv1x.1kj.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5dc9e77a3446695d5df28a0fb85d379a0
SHA1bc16b4acb80da081e2bf78648354203f1138bafb
SHA25675a2ff879b3b573234d7b5b47fa4e571092b5777c1e72b07ee73eb2202303820
SHA51200e5b823ac3f6ff6613b7124cd5f0607fc2f82ccae06fb16832d56d361fa923d1a4386af0caf6b093adde801a0611f6a16466948f38a253dafc9dfec2a125379
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5bc4ba70fd98282c839cf4e32c9443768
SHA12017723b9bac8969fe9764d18d340ab7bb13decb
SHA256de8f273bf47ce63a3f1677046c8f227d103d9c93e79f29bdd35805cde4d7c0d9
SHA51296a9c21dc2571d1f801d765b41025e5af56428a68e645a436830970b0232d8163a460dc4bb778a68f37d709253e4ee6136a2101281118fb96c64e51349b97757
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5d617b557f9d2f30e4ae67592f4910520
SHA1a8ccea100552807966feb25d8b63d473d55f516b
SHA256f526c67d2424620ffd1b3e48ab48fa764aa8cd46007075941061d3c10216c137
SHA51221962b236c8dd867ea26113b688eaf64e5fb02c61a06f7c5729d48b6facbd7ebe33a256021f3526b727077e21cea72a2a1ca80f30cca95af6d7008c4871249b9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD50b147df6d65d9807c109f457d09dc3c9
SHA12259240dbb12fb53bbca176399bf2ca734e2b482
SHA256adcf853208381a7b2fda7b047580bd6df3040c68168ac791531ec90e244aec1a
SHA5124d52e85119f59d8e78fe8ef78ad1b8450c4bbcbda5ed904428abd963276c47860f049e9c61b504fe5e2de336e2f99b3cf39c3f4024dec3a341b1af450a44ab27
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD518a4d8d66cb86fef7ac63867c973416a
SHA1108970c2298f11d2b5fad4903a8bb960505a1903
SHA256a5101842fa7e159fe0bfe4057a85a222f8ac9337005a93c4fae5d9826a514efd
SHA512b1b4816efaa883cf3b40b698291bcfe1aca67596b6d17444a6bc87d6c6540fd4b90a4cb9944a854142c34efc79a3db3efc9369ae9f5f5179c8743a5cc29e1070
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD5a26e41302d8ead6781666b8f579b8877
SHA14b8fe1eb5bdc0b5fa79ddde8883aff2047d24788
SHA256fbd77d36c7d320b073f57d0d68ebcb0b8b364d16c15e6d000ad2af6a93d0e235
SHA512303d504e7297e15dc71814bf95e1b20dbde9b985d6f4c93a9b444030db6a054d437b9c53c7718fdac4ab22c0c719d8acbf93a56fdcd5637fa7b8158508d50cc6
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/1056-109-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1056-138-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1468-123-0x0000000070D50000-0x00000000710A4000-memory.dmpFilesize
3.3MB
-
memory/1468-122-0x00000000705D0000-0x000000007061C000-memory.dmpFilesize
304KB
-
memory/1468-116-0x0000000005420000-0x0000000005774000-memory.dmpFilesize
3.3MB
-
memory/1716-201-0x0000000070C80000-0x0000000070FD4000-memory.dmpFilesize
3.3MB
-
memory/1716-200-0x00000000704F0000-0x000000007053C000-memory.dmpFilesize
304KB
-
memory/1812-98-0x00000000705D0000-0x000000007061C000-memory.dmpFilesize
304KB
-
memory/1812-99-0x0000000071340000-0x0000000071694000-memory.dmpFilesize
3.3MB
-
memory/1812-92-0x0000000005500000-0x0000000005854000-memory.dmpFilesize
3.3MB
-
memory/2024-70-0x00000000705D0000-0x000000007061C000-memory.dmpFilesize
304KB
-
memory/2024-83-0x0000000007640000-0x0000000007654000-memory.dmpFilesize
80KB
-
memory/2024-82-0x00000000075C0000-0x00000000075D1000-memory.dmpFilesize
68KB
-
memory/2024-81-0x00000000072A0000-0x0000000007343000-memory.dmpFilesize
652KB
-
memory/2024-71-0x0000000070750000-0x0000000070AA4000-memory.dmpFilesize
3.3MB
-
memory/2304-151-0x00000000705D0000-0x000000007061C000-memory.dmpFilesize
304KB
-
memory/2304-152-0x0000000070D50000-0x00000000710A4000-memory.dmpFilesize
3.3MB
-
memory/2388-42-0x00000000072F0000-0x000000000730E000-memory.dmpFilesize
120KB
-
memory/2388-9-0x0000000004E80000-0x0000000004EA2000-memory.dmpFilesize
136KB
-
memory/2388-47-0x00000000074C0000-0x0000000007556000-memory.dmpFilesize
600KB
-
memory/2388-48-0x0000000007420000-0x0000000007431000-memory.dmpFilesize
68KB
-
memory/2388-49-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB
-
memory/2388-50-0x0000000007480000-0x000000000748E000-memory.dmpFilesize
56KB
-
memory/2388-51-0x0000000007490000-0x00000000074A4000-memory.dmpFilesize
80KB
-
memory/2388-52-0x0000000007580000-0x000000000759A000-memory.dmpFilesize
104KB
-
memory/2388-53-0x0000000007570000-0x0000000007578000-memory.dmpFilesize
32KB
-
memory/2388-56-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB
-
memory/2388-4-0x000000007473E000-0x000000007473F000-memory.dmpFilesize
4KB
-
memory/2388-5-0x0000000002410000-0x0000000002446000-memory.dmpFilesize
216KB
-
memory/2388-6-0x0000000004FC0000-0x00000000055E8000-memory.dmpFilesize
6.2MB
-
memory/2388-45-0x0000000007400000-0x000000000740A000-memory.dmpFilesize
40KB
-
memory/2388-44-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB
-
memory/2388-41-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB
-
memory/2388-43-0x0000000007310000-0x00000000073B3000-memory.dmpFilesize
652KB
-
memory/2388-7-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB
-
memory/2388-8-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB
-
memory/2388-29-0x00000000072B0000-0x00000000072E2000-memory.dmpFilesize
200KB
-
memory/2388-31-0x0000000070750000-0x0000000070AA4000-memory.dmpFilesize
3.3MB
-
memory/2388-30-0x00000000705D0000-0x000000007061C000-memory.dmpFilesize
304KB
-
memory/2388-27-0x00000000070F0000-0x000000000710A000-memory.dmpFilesize
104KB
-
memory/2388-26-0x0000000007770000-0x0000000007DEA000-memory.dmpFilesize
6.5MB
-
memory/2388-25-0x0000000007070000-0x00000000070E6000-memory.dmpFilesize
472KB
-
memory/2388-24-0x00000000062A0000-0x00000000062E4000-memory.dmpFilesize
272KB
-
memory/2388-23-0x0000000005D80000-0x0000000005DCC000-memory.dmpFilesize
304KB
-
memory/2388-22-0x0000000005D30000-0x0000000005D4E000-memory.dmpFilesize
120KB
-
memory/2388-21-0x0000000005840000-0x0000000005B94000-memory.dmpFilesize
3.3MB
-
memory/2388-11-0x00000000056D0000-0x0000000005736000-memory.dmpFilesize
408KB
-
memory/2388-10-0x0000000005660000-0x00000000056C6000-memory.dmpFilesize
408KB
-
memory/3124-186-0x0000000007AB0000-0x0000000007B53000-memory.dmpFilesize
652KB
-
memory/3124-188-0x0000000006630000-0x0000000006644000-memory.dmpFilesize
80KB
-
memory/3124-164-0x00000000061A0000-0x00000000064F4000-memory.dmpFilesize
3.3MB
-
memory/3124-187-0x0000000007DE0000-0x0000000007DF1000-memory.dmpFilesize
68KB
-
memory/3124-174-0x0000000006890000-0x00000000068DC000-memory.dmpFilesize
304KB
-
memory/3124-175-0x00000000704F0000-0x000000007053C000-memory.dmpFilesize
304KB
-
memory/3124-176-0x0000000070C80000-0x0000000070FD4000-memory.dmpFilesize
3.3MB
-
memory/4072-231-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/4072-226-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/4072-255-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/4072-252-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/4072-249-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/4072-246-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/4072-212-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/4072-243-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/4072-240-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/4072-237-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/4072-234-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/4648-238-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4648-232-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4648-227-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4704-229-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4704-223-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4732-46-0x0000000004610000-0x0000000004A0C000-memory.dmpFilesize
4.0MB
-
memory/4732-28-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/4732-2-0x0000000004A10000-0x00000000052FB000-memory.dmpFilesize
8.9MB
-
memory/4732-3-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4732-57-0x0000000004A10000-0x00000000052FB000-memory.dmpFilesize
8.9MB
-
memory/4732-69-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4732-68-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/4732-1-0x0000000004610000-0x0000000004A0C000-memory.dmpFilesize
4.0MB