Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
19-05-2024 01:31
General
-
Target
4a729addd8ee4afc1f9491749a663806ccb077f53deda184c6eed21bda5ccaf4.exe
-
Size
4.1MB
-
MD5
79c4b7b79965a19b16a9dc7371644238
-
SHA1
17771e84fba4c0f9097bec8c3f93b2ea43795ddd
-
SHA256
4a729addd8ee4afc1f9491749a663806ccb077f53deda184c6eed21bda5ccaf4
-
SHA512
99bc7718b9d492b1a22023586ac7facbd2385d0b85d723efdf045d5b6ba336058c1cc414ab812bf042034faf0c5bf9743093426cdc0eeb68b27628083135542a
-
SSDEEP
98304:yf+oTi6061rsx4yGF2uQjPQS21lHMnsqkLrDDcuTdH2a0g7PF8:Bos8riuQnYS21lsngzdH/0g6
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 18 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Using powershell.exe command.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a729addd8ee4afc1f9491749a663806ccb077f53deda184c6eed21bda5ccaf4.exe"C:\Users\Admin\AppData\Local\Temp\4a729addd8ee4afc1f9491749a663806ccb077f53deda184c6eed21bda5ccaf4.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\4a729addd8ee4afc1f9491749a663806ccb077f53deda184c6eed21bda5ccaf4.exe"C:\Users\Admin\AppData\Local\Temp\4a729addd8ee4afc1f9491749a663806ccb077f53deda184c6eed21bda5ccaf4.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
Filesize
19KB
MD5a41f223c087bcdc4bb7b85c0e2b483d6
SHA17c0e83c113e1e6437c88a6e8f46ffb3911cd9606
SHA256619dc2ef6c7494d6f43e5b71f7a228a661d1c4fb6b46667488ee72c124507cec
SHA51242ee3ada54905ae227131eb28d3f72717668d3225f0a499b26e87f64ffa46735ba3357ac0f8ce8029905027d1c4c6d459d3e099a05f57c242172ee76c1af51a4
-
Filesize
19KB
MD59ec835b513630129eb86083811f39078
SHA12d593326481caee034bff986aaf9fb1d04db50aa
SHA256a580d4ab57fd27d9e8909191db19afcea2548cc98593819f4d5f44ad8c1d820b
SHA51229f84f9f95fa56f34d3c99273434bd5cdc28610065e1ffcadea86c3ba5959753cc86d82834bf52fb97454424702e6483d05eefef56fa73e4ca2fe7de389be6d3
-
Filesize
19KB
MD5b10fe66910616ae5ff7167114ee75be2
SHA1c0eda7cd1c055cbc6e5f2171b16b013b9faf7e24
SHA2568467def13f0575f49ade2a481d9890b1fef3546ef30d29bbb61d0ec90f1b88d8
SHA5127439ff3e582fc867a8355face48cb4c1cfd412f222eee4b5f7acea019c89119ef6ba6f10943b8abc4b93dd70280c492e95b22531ffc47e0b7a6dd2baa04f16d3
-
Filesize
19KB
MD5ddae080e43d7807f150bded337483bd4
SHA1ca91518c0bc9061d9f2305623f08fc9f42210f0f
SHA256be4208a71eea5f470b2eea73ad7790caabfc1996b147b8b66ae0ab3ba91c8965
SHA512556445a18853f1f8897171d5bf6f27fbadbac12689904e9ef05523a30ab40d8fdb2b9404a98b589abeb4a9a4b5371848da441fea33e275956d8be4acd36a36e1
-
Filesize
19KB
MD590c91de44222686e57ddbe57af977717
SHA183d7bfd209706610ce9fd91c6e9b60ec58a17921
SHA2560e6cfef0114a30a6a708eef8aab3fbd2ae64abac1204837274fadc3388f5409b
SHA5126801053e493c1b3bf7945ef54334fcd053bfa3cdccbee63eb2a6072daec3a30463e9ac490452938594e3bf457f0a3b1b7075c6b0b4183a97d7755af0e5e70756
-
Filesize
4.1MB
MD579c4b7b79965a19b16a9dc7371644238
SHA117771e84fba4c0f9097bec8c3f93b2ea43795ddd
SHA2564a729addd8ee4afc1f9491749a663806ccb077f53deda184c6eed21bda5ccaf4
SHA51299bc7718b9d492b1a22023586ac7facbd2385d0b85d723efdf045d5b6ba336058c1cc414ab812bf042034faf0c5bf9743093426cdc0eeb68b27628083135542a
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
3.3MB
-
Filesize
656KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
68KB
-
Filesize
3.3MB
-
Filesize
84KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
35.2MB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
4.0MB
-
Filesize
208KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
280KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
656KB
-
Filesize
104KB
-
Filesize
84KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
84KB
-
Filesize
68KB
-
Filesize
656KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
3.3MB