Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-05-2024 15:23

General

  • Target

    b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe

  • Size

    4.1MB

  • MD5

    3aafa11f14ab92b3d3e98784f1adbbc1

  • SHA1

    c1015ea32b75c59f6323c46055d3ef0bbaa80f85

  • SHA256

    b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd

  • SHA512

    13a886db858101fb79fcfacc00b6ce449607b5906ab63d369e5508710d52e6e52f259a825d7a32f47af52834c3df4adde0b02b965f73e22b5ec90621f1ea947d

  • SSDEEP

    98304:QvzBhIm6zIE7SIO2RhCG9zRnSMmyRgCXxFQG9c6:mzBhDcIv8bCGbNmyXXxFQGy6

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 18 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe
    "C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4012
    • C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe
      "C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3768
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1436
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3308
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1324
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2520
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3612
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4708
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:1736
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3048
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3356
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4624
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1704
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4992

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xfn2aiyn.f25.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      ac4917a885cf6050b1a483e4bc4d2ea5

      SHA1

      b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

      SHA256

      e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

      SHA512

      092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      89493c68fa55892dfa14c39eeaa2a7e9

      SHA1

      42339b53d48604e53918be08b342e59814c56b09

      SHA256

      6ce2914315c3886fdec941b62535c9dacc6f29a7f849320f04905b0360fe5ddb

      SHA512

      a15df474e397c90fe55e7df31600a596da55c35aa4fc054a900ac2e519cef8e02eaf8d775409bd5b0236cebd5875a027dc93c4ff24635675bb722060e138a771

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      46501c2c8e284869707aafcf09b7d371

      SHA1

      f1c9733def16d99a1b68b791be0f70e84c8c91be

      SHA256

      df5b7baac8c9800bb1f1a64829e0d2a89a17a38471c594e8d45aea4820972e93

      SHA512

      4a2ae56c57011e00325335d23a9fe981733e11e35290125b72cda31858ced52e5109049436d2f8b3cd7bd5a735b72c4918193c9f986881442624f8960a119451

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      a4b6fd6885fd2d6d40bcb4834853c813

      SHA1

      4d16633697bb2afda1bf556e3c94a8f1f6589b64

      SHA256

      90512d26553d02588d5e8cdb7fc37d0cb9c050618f68c3ca3b0753065ac78717

      SHA512

      62b9c59f6bc523c5783f0faf7a01136576b645a63e40324e63398b6a3ef6fa42e68e6bf14f81b45f7449d565a25d9b0523a63c948f1eedd712b813c06fbeb6da

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      b7f3c3f0e067c4b71730d940e1a6880f

      SHA1

      07bdd0ff997e8bde0720e47b0ac275eaf897e327

      SHA256

      b93affaa83d0dc2ccb5e7f047459e6cf02dc78aaa0ea7e0056711eaa540f3faa

      SHA512

      72d2deb1b6204dd27cf757e9446c9f3f0fc26013b3edfc8041b127a786d3ee7d5ede209863a799794976ab30193eb353133c4af24d6fcb0e48b50fd5e0dc8c18

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      1501febe01a0f2549de7e07b76eaf6bc

      SHA1

      7d4b755bb00b79c6ab3fc0b57aceb3396264b799

      SHA256

      048ba7f985cd76530d069a0b9b115eb3a1086a2dc3f0a3be581a620bb4ffed4b

      SHA512

      a15d369b0da33547e96c4dcd3f8356f485dfbdde724d35bb5213077c3695edddcbee92b5634fedcf94aec52c7722286b15f3a484ed5a83dc202cd1e9b5b0f295

    • C:\Windows\rss\csrss.exe

      Filesize

      4.1MB

      MD5

      3aafa11f14ab92b3d3e98784f1adbbc1

      SHA1

      c1015ea32b75c59f6323c46055d3ef0bbaa80f85

      SHA256

      b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd

      SHA512

      13a886db858101fb79fcfacc00b6ce449607b5906ab63d369e5508710d52e6e52f259a825d7a32f47af52834c3df4adde0b02b965f73e22b5ec90621f1ea947d

    • memory/1324-89-0x0000000070790000-0x00000000707DC000-memory.dmp

      Filesize

      304KB

    • memory/1324-90-0x0000000070910000-0x0000000070C67000-memory.dmp

      Filesize

      3.3MB

    • memory/1980-123-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/1980-52-0x0000000002A40000-0x0000000002E3E000-memory.dmp

      Filesize

      4.0MB

    • memory/2520-110-0x0000000070910000-0x0000000070C67000-memory.dmp

      Filesize

      3.3MB

    • memory/2520-109-0x0000000070790000-0x00000000707DC000-memory.dmp

      Filesize

      304KB

    • memory/2976-1-0x0000000002A50000-0x0000000002E56000-memory.dmp

      Filesize

      4.0MB

    • memory/2976-88-0x0000000002E60000-0x000000000374B000-memory.dmp

      Filesize

      8.9MB

    • memory/2976-86-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/2976-87-0x0000000002A50000-0x0000000002E56000-memory.dmp

      Filesize

      4.0MB

    • memory/2976-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/2976-2-0x0000000002E60000-0x000000000374B000-memory.dmp

      Filesize

      8.9MB

    • memory/3356-168-0x0000000007C00000-0x0000000007C11000-memory.dmp

      Filesize

      68KB

    • memory/3356-154-0x0000000006190000-0x00000000064E7000-memory.dmp

      Filesize

      3.3MB

    • memory/3356-156-0x0000000006B70000-0x0000000006BBC000-memory.dmp

      Filesize

      304KB

    • memory/3356-157-0x00000000706B0000-0x00000000706FC000-memory.dmp

      Filesize

      304KB

    • memory/3356-158-0x0000000070830000-0x0000000070B87000-memory.dmp

      Filesize

      3.3MB

    • memory/3356-167-0x00000000078C0000-0x0000000007964000-memory.dmp

      Filesize

      656KB

    • memory/3356-169-0x00000000060D0000-0x00000000060E5000-memory.dmp

      Filesize

      84KB

    • memory/3612-197-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/3612-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/3612-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/3612-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/3612-204-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/3612-202-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/3612-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/3612-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/3612-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/3612-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/3612-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/3612-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/3612-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/3768-73-0x00000000071A0000-0x00000000071B5000-memory.dmp

      Filesize

      84KB

    • memory/3768-72-0x0000000007150000-0x0000000007161000-memory.dmp

      Filesize

      68KB

    • memory/3768-71-0x0000000006DF0000-0x0000000006E94000-memory.dmp

      Filesize

      656KB

    • memory/3768-62-0x0000000070910000-0x0000000070C67000-memory.dmp

      Filesize

      3.3MB

    • memory/3768-61-0x0000000070790000-0x00000000707DC000-memory.dmp

      Filesize

      304KB

    • memory/4012-9-0x0000000004F10000-0x0000000004F32000-memory.dmp

      Filesize

      136KB

    • memory/4012-5-0x00000000027F0000-0x0000000002826000-memory.dmp

      Filesize

      216KB

    • memory/4012-11-0x0000000005780000-0x00000000057E6000-memory.dmp

      Filesize

      408KB

    • memory/4012-10-0x0000000005710000-0x0000000005776000-memory.dmp

      Filesize

      408KB

    • memory/4012-38-0x0000000074520000-0x0000000074CD1000-memory.dmp

      Filesize

      7.7MB

    • memory/4012-8-0x0000000074520000-0x0000000074CD1000-memory.dmp

      Filesize

      7.7MB

    • memory/4012-40-0x0000000007280000-0x000000000729A000-memory.dmp

      Filesize

      104KB

    • memory/4012-39-0x00000000078C0000-0x0000000007F3A000-memory.dmp

      Filesize

      6.5MB

    • memory/4012-21-0x0000000005CB0000-0x0000000005CCE000-memory.dmp

      Filesize

      120KB

    • memory/4012-7-0x0000000074520000-0x0000000074CD1000-memory.dmp

      Filesize

      7.7MB

    • memory/4012-22-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

      Filesize

      304KB

    • memory/4012-23-0x0000000006240000-0x0000000006286000-memory.dmp

      Filesize

      280KB

    • memory/4012-26-0x0000000070910000-0x0000000070C67000-memory.dmp

      Filesize

      3.3MB

    • memory/4012-25-0x0000000070790000-0x00000000707DC000-memory.dmp

      Filesize

      304KB

    • memory/4012-6-0x0000000005070000-0x000000000569A000-memory.dmp

      Filesize

      6.2MB

    • memory/4012-24-0x00000000070D0000-0x0000000007104000-memory.dmp

      Filesize

      208KB

    • memory/4012-41-0x00000000072C0000-0x00000000072CA000-memory.dmp

      Filesize

      40KB

    • memory/4012-20-0x00000000058E0000-0x0000000005C37000-memory.dmp

      Filesize

      3.3MB

    • memory/4012-42-0x00000000073D0000-0x0000000007466000-memory.dmp

      Filesize

      600KB

    • memory/4012-43-0x00000000072E0000-0x00000000072F1000-memory.dmp

      Filesize

      68KB

    • memory/4012-4-0x000000007452E000-0x000000007452F000-memory.dmp

      Filesize

      4KB

    • memory/4012-37-0x0000000007150000-0x00000000071F4000-memory.dmp

      Filesize

      656KB

    • memory/4012-36-0x0000000074520000-0x0000000074CD1000-memory.dmp

      Filesize

      7.7MB

    • memory/4012-35-0x0000000007130000-0x000000000714E000-memory.dmp

      Filesize

      120KB

    • memory/4012-50-0x0000000074520000-0x0000000074CD1000-memory.dmp

      Filesize

      7.7MB

    • memory/4012-47-0x00000000073B0000-0x00000000073B8000-memory.dmp

      Filesize

      32KB

    • memory/4012-46-0x0000000007390000-0x00000000073AA000-memory.dmp

      Filesize

      104KB

    • memory/4012-45-0x0000000007340000-0x0000000007355000-memory.dmp

      Filesize

      84KB

    • memory/4012-44-0x0000000007330000-0x000000000733E000-memory.dmp

      Filesize

      56KB

    • memory/4624-182-0x0000000070850000-0x0000000070BA7000-memory.dmp

      Filesize

      3.3MB

    • memory/4624-181-0x00000000706B0000-0x00000000706FC000-memory.dmp

      Filesize

      304KB

    • memory/4624-179-0x0000000005C90000-0x0000000005FE7000-memory.dmp

      Filesize

      3.3MB

    • memory/4708-136-0x0000000070910000-0x0000000070C67000-memory.dmp

      Filesize

      3.3MB

    • memory/4708-135-0x0000000070790000-0x00000000707DC000-memory.dmp

      Filesize

      304KB