General

  • Target

    e2cecde74b12eca6b034139fb530c054d51008817f10cebe04b45179e85e21f1

  • Size

    4.1MB

  • Sample

    240517-apdw1sgg76

  • MD5

    0840db66ecf6cc2f08165ffb68c280a0

  • SHA1

    81fd8a1115b808646f552b3103618bcb5f3e43de

  • SHA256

    e2cecde74b12eca6b034139fb530c054d51008817f10cebe04b45179e85e21f1

  • SHA512

    0163c91fea067f7151267a720457263fd4a3a6ce2642d349432a02412d792d2337b8da5503ed6a7d00caa452f8643e340012ae30e2bbf6c22641765a0689f8bc

  • SSDEEP

    98304:cTqhS9Lnz8MmSV7jAB6wVffYAFzc/C0Dla1eCdEfwq9hv7fsfHoqc5/0ndi:zS9LzA0QB3VffYAWClIC+YKgH5cgU

Malware Config

Targets

    • Target

      e2cecde74b12eca6b034139fb530c054d51008817f10cebe04b45179e85e21f1

    • Size

      4.1MB

    • MD5

      0840db66ecf6cc2f08165ffb68c280a0

    • SHA1

      81fd8a1115b808646f552b3103618bcb5f3e43de

    • SHA256

      e2cecde74b12eca6b034139fb530c054d51008817f10cebe04b45179e85e21f1

    • SHA512

      0163c91fea067f7151267a720457263fd4a3a6ce2642d349432a02412d792d2337b8da5503ed6a7d00caa452f8643e340012ae30e2bbf6c22641765a0689f8bc

    • SSDEEP

      98304:cTqhS9Lnz8MmSV7jAB6wVffYAFzc/C0Dla1eCdEfwq9hv7fsfHoqc5/0ndi:zS9LzA0QB3VffYAWClIC+YKgH5cgU

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks