Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
16/05/2024, 19:44
General
-
Target
66508168803c80751fb77a54bde171c5e387f64949dcc2849dd337c9b8f40eb4.exe
-
Size
4.1MB
-
MD5
cc5fb9db22123f5ddc5414ba087cfab9
-
SHA1
40239c9093950eb0465b479b18bf90bc7d460047
-
SHA256
66508168803c80751fb77a54bde171c5e387f64949dcc2849dd337c9b8f40eb4
-
SHA512
7a938890c014ae7735cb0b7780fac16af099c9d1d9a0182d9f5ceb6c852c438813c860d4b7f611c62826d36891b3a6f701e51d8a49f48c7604053d245d3caa5b
-
SSDEEP
98304:vjrHiscAnk4Z0f7mBZCfuP+pmwVLETOu5PKDHvrjVgO2A:7rhn/yCBZkM+pB3dzB
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 17 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Using powershell.exe command.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\66508168803c80751fb77a54bde171c5e387f64949dcc2849dd337c9b8f40eb4.exe"C:\Users\Admin\AppData\Local\Temp\66508168803c80751fb77a54bde171c5e387f64949dcc2849dd337c9b8f40eb4.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\66508168803c80751fb77a54bde171c5e387f64949dcc2849dd337c9b8f40eb4.exe"C:\Users\Admin\AppData\Local\Temp\66508168803c80751fb77a54bde171c5e387f64949dcc2849dd337c9b8f40eb4.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
Filesize
19KB
MD5c61271922ee1e239f9352b8a7c2b3086
SHA1687cfdf927a4dbeb6ed0c5fc5bef5f2d1c9d2c1b
SHA256b86ad0439668d2d7df680eb15dbff84aae5c1dbb3a567760140446cecd3ee0ba
SHA51271d65e8e2e8e8095fbabc2426c1f0fdda76a188b5422190cb43effde04eef83667fba816d586fa99468ae87a1b48ce1ebef90f04a9adf841863f1fc46ba6cbb2
-
Filesize
19KB
MD58b6dcdbd758864d597e4c542e2cb286a
SHA14090603b298658c4bb173011591013634a670e45
SHA256e17f5f5e4ae85ce1f310948519664ffb7a241f9150c1620c35543664835a1a99
SHA512b2b78da17ffa4506f9e386db2511d878b86c82eeebb98031a69a8cb1e751fa91079ea476a7d855b9b58f3311dc77f4fd7c014977dba0972a1dfd2d46bb2bd21d
-
Filesize
19KB
MD588692370ea947ddaf76ed0a44af60275
SHA187e8d84e2e752fe43f817231189ae4fc77ce1ac7
SHA25616e7450c445dcb0d7cabbd375290d3ad2f951ed8c252ceb2048617bf5de1fd2e
SHA51281aaa3b7f7b28e354c01cc18e877e670f5611923d192bee09ebb046408c02aae479d330a487ed3749510fc1e37e47f908b401b687f28a6e4cb63c58fd6a38290
-
Filesize
19KB
MD5669a47a242a24b8b6b5832ff3b0fe4da
SHA1d219a482f6934a62152ff0b69fcc71cf9e22712c
SHA2569e731ca6c68dc9ea5328e091bfd18afc14e6946b69d3647b833fca734366dd17
SHA5122f73e7b82a5f69988cef40684dfbbd36f9ecd948f92aca02794d1422507f3090bf0930984e4ef8df34941ee2cbc23eb62c7008e855776355f4c1b07d83a990ee
-
Filesize
19KB
MD54734855ae5ebc411eda68eaf83dfd511
SHA1deb1f140a7f27bfa0b67d1af6573511e527e67da
SHA2567cd2b2d859d342f50534f34853dcc68c6ce3be4d31fe849febf02d3a5881a528
SHA51221e271d2e468f6e7efab05aada4714eb4a83c35f61b0a49851dec369cbb147ee763da49144fbf2a5861535bfc4b15163b2ee8e6fce4f338e921556a6297f5312
-
Filesize
4.1MB
MD5cc5fb9db22123f5ddc5414ba087cfab9
SHA140239c9093950eb0465b479b18bf90bc7d460047
SHA25666508168803c80751fb77a54bde171c5e387f64949dcc2849dd337c9b8f40eb4
SHA5127a938890c014ae7735cb0b7780fac16af099c9d1d9a0182d9f5ceb6c852c438813c860d4b7f611c62826d36891b3a6f701e51d8a49f48c7604053d245d3caa5b
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
84KB
-
Filesize
68KB
-
Filesize
656KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
68KB
-
Filesize
656KB
-
Filesize
304KB
-
Filesize
84KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
280KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
208KB
-
Filesize
656KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
84KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
6.5MB