glupteba | 09ce87d0be43cd78c49db505ee59b33bfe233d1a380dcce7efc77102b0c411dc

Analysis

max time kernel
3s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
18-05-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09ce87d0be43cd78c49db505ee59b33bfe233d1a380dcce7efc77102b0c411dc.exe
Size

4.1MB
MD5

b88142eaf5baa7e6c537db605ec9966a
SHA1

993b87d06dd65f14d99cc858a08b95f350b93af6
SHA256

09ce87d0be43cd78c49db505ee59b33bfe233d1a380dcce7efc77102b0c411dc
SHA512

b30191420729927557ad1a0b0fa3378881940a07da0008969ebeeaa5e1dd8f254c4a34e44bb74be41bb31aa34d75820d4133cb6c37b5c8fed9805f82f1284882
SSDEEP

98304:zmSOHuT7egJLhRTCVEkOCdqjiWtSbuAFmh92D:z0ObLh9WfG/tSdes

Score

10^/10

glupteba dropper evasion execution loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

resource	yara_rule
behavioral2/memory/4688-2-0x0000000004910000-0x00000000051FB000-memory.dmp	family_glupteba
behavioral2/memory/4688-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1644-121-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/4688-145-0x0000000004910000-0x00000000051FB000-memory.dmp	family_glupteba
behavioral2/memory/4688-133-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/4688-198-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/992-200-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/992-201-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/992-204-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/992-206-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/992-208-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/992-210-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/992-212-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/992-214-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/992-216-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/992-218-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/992-219-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/992-222-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/992-224-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1732	netsh.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2556	powershell.exe
2836	powershell.exe
1208	powershell.exe
4604	powershell.exe
2216	powershell.exe
2868	powershell.exe
1692	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4536	schtasks.exe
1872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1692	powershell.exe
1692	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 1692	4688	09ce87d0be43cd78c49db505ee59b33bfe233d1a380dcce7efc77102b0c411dc.exe	81
PID 4688 wrote to memory of 1692	4688	09ce87d0be43cd78c49db505ee59b33bfe233d1a380dcce7efc77102b0c411dc.exe	81
PID 4688 wrote to memory of 1692	4688	09ce87d0be43cd78c49db505ee59b33bfe233d1a380dcce7efc77102b0c411dc.exe	81

C:\Users\Admin\AppData\Local\Temp\09ce87d0be43cd78c49db505ee59b33bfe233d1a380dcce7efc77102b0c411dc.exe
"C:\Users\Admin\AppData\Local\Temp\09ce87d0be43cd78c49db505ee59b33bfe233d1a380dcce7efc77102b0c411dc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\09ce87d0be43cd78c49db505ee59b33bfe233d1a380dcce7efc77102b0c411dc.exe
  "C:\Users\Admin\AppData\Local\Temp\09ce87d0be43cd78c49db505ee59b33bfe233d1a380dcce7efc77102b0c411dc.exe"
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2556
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:1788
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1732
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2836
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1208
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:992
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4604
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4536
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2216
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:2756
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nojvx13z.kf4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
01629c2e5510a9a7cdc5836d2d08a773

SHA1
75a22ba7f5d5e5a3adfa1a7fa3472a46201c6d78

SHA256
271a7272237b83bda6c0c33c048fd49a4687076f26caaa73269ed7c6601632a5

SHA512
0f00caf18ba1c8407c70a9f51396b40fc3a48a23ce29e285fd9a5dcc1b5e7cf8e77452f115ceb399f745e2da1a936be02c6b8b65d3abd7481f873863a7e57620

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
61933957c02876ae9161731d8f9d99b3

SHA1
cf50d9f679f2751ef11c1195488f8792e71f3497

SHA256
40c4db33b58868ba8ff647a8cb41cbff07035d69dd3aa412328745db11eff4b4

SHA512
33f60a49f850717208c7d9fd751fe6723acf5615c592f943220580b633cfcacad6d441c201866f69c07ba3872c0ba1a82a13f1c912ee862064b760e26fd12b40

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
51e27d9b6c5c3b34214dadca2e08302d

SHA1
b3c46bf556e8f2a675b4d3464ea70482f112fced

SHA256
5aa989de7e2469c2c9ccbf00713ab070f289ff90265d424064ab4f2a469dafc3

SHA512
efd14c26db0bef9f8441b21fc92be769bfbe4cab6407caefa57fd01a9a98e19440b79200211166e39ada59575d61d1d017e9d05f9070d0c6e8b7b4f510c89e1b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
73f78e0a696280ff5289aa366c1012dc

SHA1
9cb437fe9f745f0ae8e9cca9bf57145f810ba4e6

SHA256
f0e851b55a06e830822aeab99d8d6414520818896d3ff4f046ba6b8213819169

SHA512
006d845519de0941ee09469d21ecdd440feebf0658a0f0069955463289520cf7283f58a9fd4932f4504d33e34bdf710c82d7f0dc3e58c4ee562244045d3b059f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
71919e88d89ebd3e1a1ffd181af76aa2

SHA1
e6d5a458c7842db7ecb2962e5a40e302ae32382b

SHA256
5f57d5caaeaecc711df809da3af0950d9f1b31f1f9c6a7a38f3ab3c4b6ee4c4d

SHA512
351c7e7f5f5ba163697f7527b0ca9005f34a3619c52e5920eec834bd22942f0c16dc50db1684b256740092baa1393af9c29cfb9012ae9a76a6b687954dfe2018

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
b88142eaf5baa7e6c537db605ec9966a

SHA1
993b87d06dd65f14d99cc858a08b95f350b93af6

SHA256
09ce87d0be43cd78c49db505ee59b33bfe233d1a380dcce7efc77102b0c411dc

SHA512
b30191420729927557ad1a0b0fa3378881940a07da0008969ebeeaa5e1dd8f254c4a34e44bb74be41bb31aa34d75820d4133cb6c37b5c8fed9805f82f1284882

Download Submit
memory/992-214-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/992-218-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/992-206-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/992-204-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/992-201-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/992-200-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/992-210-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/992-212-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/992-216-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/992-208-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/992-224-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/992-219-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/992-222-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/1208-108-0x0000000071780000-0x0000000071AD7000-memory.dmp

Filesize
3.3MB

Download
memory/1208-107-0x0000000070E40000-0x0000000070E8C000-memory.dmp

Filesize
304KB

Download
memory/1208-105-0x0000000006430000-0x0000000006787000-memory.dmp

Filesize
3.3MB

Download
memory/1644-121-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/1692-39-0x00000000081D0000-0x000000000884A000-memory.dmp

Filesize
6.5MB

Download
memory/1692-20-0x0000000006140000-0x0000000006497000-memory.dmp

Filesize
3.3MB

Download
memory/1692-44-0x0000000007C40000-0x0000000007C4E000-memory.dmp

Filesize
56KB

Download
memory/1692-45-0x0000000007C50000-0x0000000007C65000-memory.dmp

Filesize
84KB

Download
memory/1692-46-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

Filesize
104KB

Download
memory/1692-47-0x0000000007C90000-0x0000000007C98000-memory.dmp

Filesize
32KB

Download
memory/1692-50-0x0000000074BD0000-0x0000000075381000-memory.dmp

Filesize
7.7MB

Download
memory/1692-22-0x0000000006850000-0x000000000689C000-memory.dmp

Filesize
304KB

Download
memory/1692-10-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/1692-23-0x0000000007700000-0x0000000007746000-memory.dmp

Filesize
280KB

Download
memory/1692-11-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/1692-24-0x0000000007A00000-0x0000000007A34000-memory.dmp

Filesize
208KB

Download
memory/1692-35-0x0000000007A40000-0x0000000007A5E000-memory.dmp

Filesize
120KB

Download
memory/1692-25-0x0000000070E40000-0x0000000070E8C000-memory.dmp

Filesize
304KB

Download
memory/1692-43-0x0000000007BF0000-0x0000000007C01000-memory.dmp

Filesize
68KB

Download
memory/1692-37-0x0000000007A60000-0x0000000007B04000-memory.dmp

Filesize
656KB

Download
memory/1692-21-0x00000000065D0000-0x00000000065EE000-memory.dmp

Filesize
120KB

Download
memory/1692-42-0x0000000007CE0000-0x0000000007D76000-memory.dmp

Filesize
600KB

Download
memory/1692-26-0x0000000070FC0000-0x0000000071317000-memory.dmp

Filesize
3.3MB

Download
memory/1692-41-0x0000000007BD0000-0x0000000007BDA000-memory.dmp

Filesize
40KB

Download
memory/1692-36-0x0000000074BD0000-0x0000000075381000-memory.dmp

Filesize
7.7MB

Download
memory/1692-5-0x0000000002DB0000-0x0000000002DE6000-memory.dmp

Filesize
216KB

Download
memory/1692-40-0x0000000007B90000-0x0000000007BAA000-memory.dmp

Filesize
104KB

Download
memory/1692-38-0x0000000074BD0000-0x0000000075381000-memory.dmp

Filesize
7.7MB

Download
memory/1692-4-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/1692-7-0x00000000058C0000-0x0000000005EEA000-memory.dmp

Filesize
6.2MB

Download
memory/1692-6-0x0000000074BD0000-0x0000000075381000-memory.dmp

Filesize
7.7MB

Download
memory/1692-8-0x0000000074BD0000-0x0000000075381000-memory.dmp

Filesize
7.7MB

Download
memory/1692-9-0x0000000005740000-0x0000000005762000-memory.dmp

Filesize
136KB

Download
memory/2216-157-0x0000000006480000-0x00000000064CC000-memory.dmp

Filesize
304KB

Download
memory/2216-170-0x0000000005CF0000-0x0000000005D05000-memory.dmp

Filesize
84KB

Download
memory/2216-155-0x0000000005920000-0x0000000005C77000-memory.dmp

Filesize
3.3MB

Download
memory/2216-159-0x00000000716A0000-0x00000000719F7000-memory.dmp

Filesize
3.3MB

Download
memory/2216-168-0x0000000007160000-0x0000000007204000-memory.dmp

Filesize
656KB

Download
memory/2216-158-0x0000000070D60000-0x0000000070DAC000-memory.dmp

Filesize
304KB

Download
memory/2216-169-0x0000000007490000-0x00000000074A1000-memory.dmp

Filesize
68KB

Download
memory/2556-73-0x0000000007810000-0x0000000007825000-memory.dmp

Filesize
84KB

Download
memory/2556-72-0x00000000077C0000-0x00000000077D1000-memory.dmp

Filesize
68KB

Download
memory/2556-62-0x00000000710B0000-0x0000000071407000-memory.dmp

Filesize
3.3MB

Download
memory/2556-71-0x0000000007470000-0x0000000007514000-memory.dmp

Filesize
656KB

Download
memory/2556-61-0x0000000070E40000-0x0000000070E8C000-memory.dmp

Filesize
304KB

Download
memory/2556-52-0x0000000005D20000-0x0000000006077000-memory.dmp

Filesize
3.3MB

Download
memory/2836-87-0x0000000070FC0000-0x0000000071317000-memory.dmp

Filesize
3.3MB

Download
memory/2836-86-0x0000000070E40000-0x0000000070E8C000-memory.dmp

Filesize
304KB

Download
memory/2868-183-0x0000000070F00000-0x0000000071257000-memory.dmp

Filesize
3.3MB

Download
memory/2868-182-0x0000000070D60000-0x0000000070DAC000-memory.dmp

Filesize
304KB

Download
memory/2868-180-0x00000000057E0000-0x0000000005B37000-memory.dmp

Filesize
3.3MB

Download
memory/4604-134-0x0000000070E40000-0x0000000070E8C000-memory.dmp

Filesize
304KB

Download
memory/4604-135-0x0000000070FC0000-0x0000000071317000-memory.dmp

Filesize
3.3MB

Download
memory/4688-198-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4688-144-0x0000000004510000-0x000000000490F000-memory.dmp

Filesize
4.0MB

Download
memory/4688-133-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/4688-145-0x0000000004910000-0x00000000051FB000-memory.dmp

Filesize
8.9MB

Download
memory/4688-1-0x0000000004510000-0x000000000490F000-memory.dmp

Filesize
4.0MB

Download
memory/4688-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4688-2-0x0000000004910000-0x00000000051FB000-memory.dmp

Filesize
8.9MB

Download