Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
11-05-2024 11:23
General
-
Target
e6a6f2c2fddf04f4f79143eadb51336b019fe5bfb09c6c10c3fd2a3853eebf90.exe
-
Size
4.1MB
-
MD5
6822a5c9b2fbd0f5a190c9253334b19f
-
SHA1
47692b591f478a46e24bc65f16f7825856ed8279
-
SHA256
e6a6f2c2fddf04f4f79143eadb51336b019fe5bfb09c6c10c3fd2a3853eebf90
-
SHA512
c17bdeb658d0431bf374e751921e6d6bd517f534f198488d5893eaee707164d9b48e947ffc692e654f49a00c6bcd9b48029054854a4be1b8684d5b98e14255a9
-
SSDEEP
98304:9aldxVYbeltggr6p7qKtgoJu9O6Qxc6qPeInuZKahKn+3QI:Sxq6ggrt/os9O/WxuFhK+AI
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 18 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Using powershell.exe command.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6a6f2c2fddf04f4f79143eadb51336b019fe5bfb09c6c10c3fd2a3853eebf90.exe"C:\Users\Admin\AppData\Local\Temp\e6a6f2c2fddf04f4f79143eadb51336b019fe5bfb09c6c10c3fd2a3853eebf90.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\e6a6f2c2fddf04f4f79143eadb51336b019fe5bfb09c6c10c3fd2a3853eebf90.exe"C:\Users\Admin\AppData\Local\Temp\e6a6f2c2fddf04f4f79143eadb51336b019fe5bfb09c6c10c3fd2a3853eebf90.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_00bkysmt.2rf.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD58c02260cb04fd6afe6cc0afd31a354ca
SHA155ba0077e4cdb103b3f3573be625c7bbeac9d18b
SHA2563aa5816c4ef6665e8d9ce7db85c6faf983bb42291a8d983b39e01e2925bedd71
SHA512a87c14f4b8a9550d5c28852c0d0d8fcd8681a631174bd374cb811c134712a937fac75f80474eff21520e7443872b0abd1e0434ff4712ba02efc3c2cbfd9f78ae
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5f49a826b3f22945c3014a210a1c79b4c
SHA1d4c032a7a6c72f3149a2c8772213f3c5c3123c3f
SHA25662ee9abc9c42594526e324cdb158c6b6eaa941d277bc56d29415a3948e1b878c
SHA512f0973565291973bbc53862e444c46aa01ff9500535155fd8067fcd6d217e3dffde4e7d107a7e6292afce41721d2df8bcfb41ca5e66e3d98f8fe228ea2af3d89a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5de275e7cf3ba9cfeeaa7ffeb4b094f37
SHA18741fb60f894af69757b136bf98228173de58266
SHA2563c01c9b4bf1c84d713367fd426fbafd32e79c6be9955f6ad2354b06ccc62f1be
SHA512437a5e8625220b528cfbe5ccb44525eb5f4df5a4aca2f441d840cff29919d4256c7f221fdfc02cbc8ff7716d8ae6057f837197ac109273a256f047dcb0ae6436
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD513304cf381963b1bda6f35d9a8c6059e
SHA18e74b4907cd624e1fc28221ebcfb44795a244459
SHA25688420d52dbc9dabe7cabceadee7ac94d1e98680548da02dc401c4c61bc616100
SHA5125c7ec19e35a8a4346ecbc840f135c0759a6a886328f6d769c88ac99cf3a21903bbf1cd193020ef0a4ee61d7874359cca848492e3b1560dd544d19035d80b13ba
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD56b140a0334dfa6b9ae72f420fd5289a0
SHA16c1420ba77b89a545e6b5f4537187b9e2abe5713
SHA2566fbf746408f276bbca87495ade33ff8a55ea20d2fcb2e870cfe588f27823c374
SHA512e7cc43be5ca47ab522ae3647e597cdfaea29e3b18dde0ac0314a14ce28db98205fe01f8dd68c78574765c131bd1d48945d8111bf2c80c49d0ad0827905b44ad5
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD56822a5c9b2fbd0f5a190c9253334b19f
SHA147692b591f478a46e24bc65f16f7825856ed8279
SHA256e6a6f2c2fddf04f4f79143eadb51336b019fe5bfb09c6c10c3fd2a3853eebf90
SHA512c17bdeb658d0431bf374e751921e6d6bd517f534f198488d5893eaee707164d9b48e947ffc692e654f49a00c6bcd9b48029054854a4be1b8684d5b98e14255a9
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/448-193-0x0000000070820000-0x000000007086C000-memory.dmpFilesize
304KB
-
memory/448-194-0x00000000709A0000-0x0000000070CF4000-memory.dmpFilesize
3.3MB
-
memory/2304-235-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2304-227-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2468-223-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2468-219-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2668-238-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2668-254-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2668-226-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2668-230-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2668-234-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2668-206-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2668-218-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2668-242-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2668-246-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2668-258-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2668-250-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2668-262-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2852-3-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2852-2-0x0000000004990000-0x000000000527B000-memory.dmpFilesize
8.9MB
-
memory/2852-50-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2852-102-0x0000000004990000-0x000000000527B000-memory.dmpFilesize
8.9MB
-
memory/2852-62-0x0000000004580000-0x0000000004985000-memory.dmpFilesize
4.0MB
-
memory/2852-132-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2852-1-0x0000000004580000-0x0000000004985000-memory.dmpFilesize
4.0MB
-
memory/2860-90-0x0000000070900000-0x000000007094C000-memory.dmpFilesize
304KB
-
memory/2860-91-0x0000000070A80000-0x0000000070DD4000-memory.dmpFilesize
3.3MB
-
memory/2876-144-0x0000000070900000-0x000000007094C000-memory.dmpFilesize
304KB
-
memory/2876-145-0x0000000070A80000-0x0000000070DD4000-memory.dmpFilesize
3.3MB
-
memory/2900-131-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/3260-180-0x0000000005A70000-0x0000000005A81000-memory.dmpFilesize
68KB
-
memory/3260-165-0x0000000005AF0000-0x0000000005E44000-memory.dmpFilesize
3.3MB
-
memory/3260-181-0x0000000005E50000-0x0000000005E64000-memory.dmpFilesize
80KB
-
memory/3260-179-0x0000000007250000-0x00000000072F3000-memory.dmpFilesize
652KB
-
memory/3260-169-0x00000000709A0000-0x0000000070CF4000-memory.dmpFilesize
3.3MB
-
memory/3260-168-0x0000000070820000-0x000000007086C000-memory.dmpFilesize
304KB
-
memory/3260-167-0x0000000006080000-0x00000000060CC000-memory.dmpFilesize
304KB
-
memory/3304-75-0x0000000007CD0000-0x0000000007CE1000-memory.dmpFilesize
68KB
-
memory/3304-76-0x0000000007D20000-0x0000000007D34000-memory.dmpFilesize
80KB
-
memory/3304-74-0x00000000077A0000-0x0000000007843000-memory.dmpFilesize
652KB
-
memory/3304-64-0x0000000070A80000-0x0000000070DD4000-memory.dmpFilesize
3.3MB
-
memory/3304-63-0x0000000070900000-0x000000007094C000-memory.dmpFilesize
304KB
-
memory/3304-61-0x00000000063B0000-0x0000000006704000-memory.dmpFilesize
3.3MB
-
memory/4600-42-0x0000000007A80000-0x0000000007A91000-memory.dmpFilesize
68KB
-
memory/4600-19-0x0000000005D70000-0x00000000060C4000-memory.dmpFilesize
3.3MB
-
memory/4600-45-0x0000000007BC0000-0x0000000007BDA000-memory.dmpFilesize
104KB
-
memory/4600-46-0x0000000007B10000-0x0000000007B18000-memory.dmpFilesize
32KB
-
memory/4600-49-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4600-4-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4600-43-0x0000000007AC0000-0x0000000007ACE000-memory.dmpFilesize
56KB
-
memory/4600-5-0x0000000002D20000-0x0000000002D56000-memory.dmpFilesize
216KB
-
memory/4600-6-0x0000000005660000-0x0000000005C88000-memory.dmpFilesize
6.2MB
-
memory/4600-41-0x0000000007B20000-0x0000000007BB6000-memory.dmpFilesize
600KB
-
memory/4600-40-0x0000000007A60000-0x0000000007A6A000-memory.dmpFilesize
40KB
-
memory/4600-39-0x0000000007970000-0x0000000007A13000-memory.dmpFilesize
652KB
-
memory/4600-38-0x0000000007950000-0x000000000796E000-memory.dmpFilesize
120KB
-
memory/4600-28-0x0000000070AB0000-0x0000000070E04000-memory.dmpFilesize
3.3MB
-
memory/4600-27-0x0000000070900000-0x000000007094C000-memory.dmpFilesize
304KB
-
memory/4600-26-0x0000000007910000-0x0000000007942000-memory.dmpFilesize
200KB
-
memory/4600-25-0x0000000007750000-0x000000000776A000-memory.dmpFilesize
104KB
-
memory/4600-24-0x0000000007DB0000-0x000000000842A000-memory.dmpFilesize
6.5MB
-
memory/4600-23-0x00000000076B0000-0x0000000007726000-memory.dmpFilesize
472KB
-
memory/4600-22-0x00000000074A0000-0x00000000074E4000-memory.dmpFilesize
272KB
-
memory/4600-21-0x00000000063C0000-0x000000000640C000-memory.dmpFilesize
304KB
-
memory/4600-20-0x0000000006380000-0x000000000639E000-memory.dmpFilesize
120KB
-
memory/4600-44-0x0000000007AD0000-0x0000000007AE4000-memory.dmpFilesize
80KB
-
memory/4600-9-0x0000000005D00000-0x0000000005D66000-memory.dmpFilesize
408KB
-
memory/4600-8-0x0000000005C90000-0x0000000005CF6000-memory.dmpFilesize
408KB
-
memory/4600-7-0x0000000005460000-0x0000000005482000-memory.dmpFilesize
136KB
-
memory/4732-103-0x0000000006310000-0x0000000006664000-memory.dmpFilesize
3.3MB
-
memory/4732-114-0x0000000070900000-0x000000007094C000-memory.dmpFilesize
304KB
-
memory/4732-115-0x0000000071080000-0x00000000713D4000-memory.dmpFilesize
3.3MB