Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 14:00

General

  • Target

    1e2d4e08ccabd10aecec1292efd91f0ef4140387acdf2e1bfd6c6871d155cd21.exe

  • Size

    4.1MB

  • MD5

    8555b896248f47f8b2643d82d7cb17a9

  • SHA1

    1e80159e5c8d8b40a8dccc05d67b4e86d31d8c8d

  • SHA256

    1e2d4e08ccabd10aecec1292efd91f0ef4140387acdf2e1bfd6c6871d155cd21

  • SHA512

    f934f2f31d7bd885e52aecfb5c2539109a73a031152fbaafd1baa766d699ae6221f220727e854494d0ee00f2ae00a392d415ed01a10af1ec1e2cd6d76f90403c

  • SSDEEP

    98304:cNaXJU8AJvaro5mDbVFqT6QhicqJuM7BOvJODhfBAiYJAl59WV:cqU8A9EamDpImBOY9f2NV

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e2d4e08ccabd10aecec1292efd91f0ef4140387acdf2e1bfd6c6871d155cd21.exe
    "C:\Users\Admin\AppData\Local\Temp\1e2d4e08ccabd10aecec1292efd91f0ef4140387acdf2e1bfd6c6871d155cd21.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2788
    • C:\Users\Admin\AppData\Local\Temp\1e2d4e08ccabd10aecec1292efd91f0ef4140387acdf2e1bfd6c6871d155cd21.exe
      "C:\Users\Admin\AppData\Local\Temp\1e2d4e08ccabd10aecec1292efd91f0ef4140387acdf2e1bfd6c6871d155cd21.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1696
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3832
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1124
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4468
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4280
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4948
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:1648
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2092
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1416
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1660
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1376
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:2456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rh2thqf3.xwv.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      225f8ef70311d39610ccc4fd6c21cff6

      SHA1

      32a441acf682235d2a524e90edc8c7df59386b94

      SHA256

      8fe696976b96b568a55e8fd0fc060f4a625f69c9d564e7be233a2a5a4eaf0f95

      SHA512

      d722da1801eba96c9d9d3db3124da855cbef252b5791f278c140dd7bbfefcccc88f16f9b28c436e20edd062856f2a71769ca616f626bf3c892ab704adfa34ae0

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      0e9c56db6d07362867f2db65601b94f1

      SHA1

      379a9739f44ed150498700757fe3ff2d7b167134

      SHA256

      82dcfb69d73507690b3664d599e3f715d034fa86b76cd3f5be26a90da0a5d1e0

      SHA512

      caecc5272de5437ff6a10d89a52468b7ae5d3732f0aa32db130abb55d37c1798a2d94ad2b4d757826ea439b2368abe8c03fdd60434bb71ab5b37919aa4d4409b

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      53b010c5633dbd93cf5876d5ca2e0528

      SHA1

      cb82d263aeecdf109d2474ad64d809f30f39951a

      SHA256

      93802dd94fc8085a61aee03fb3d3acf8b5067dbf30dd27109017b6c5cded6ca7

      SHA512

      2136e1e218eba29397b9192da282b5571be8585be6d800962eaec063b4088fe6d5e28f97ae740da560337a4b777b0f028b73206e66ac4d20c999e3219ae3f844

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      442564acc4b5dc4b9191ab05c250d738

      SHA1

      c4efff49761c5a7bb151b53731c238616cdf07be

      SHA256

      66211b375dd3b6b820abe9d09b37478c6a4937f7bfb6cf3631a43134b9c2e2cc

      SHA512

      cdacfd4b4b132343fe72bccf3ba67318d5ca764cdddd744622d14508313c1f174ea8a7d607ab3d5b1beb44c43764260f8d5667b4af4f13d28d2b51222f1dd2e5

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      f3e382d4851f4627b3ecace1e7d866d4

      SHA1

      e6c54ef3f365fb4448a80635e090b7dd355b4d2a

      SHA256

      699d73ea06e03a642d9e6a593d91cc3ee176c7f1e5552bed1d2fe3931db8b727

      SHA512

      9bab9f2bedcb220cb7b538773c84996ded37604a6f29f76c7794e134f7d4a1ab412c0cd933eb472ad2dda4b9d894e13a394df32825450248933907316596c035

    • C:\Windows\rss\csrss.exe

      Filesize

      4.1MB

      MD5

      8555b896248f47f8b2643d82d7cb17a9

      SHA1

      1e80159e5c8d8b40a8dccc05d67b4e86d31d8c8d

      SHA256

      1e2d4e08ccabd10aecec1292efd91f0ef4140387acdf2e1bfd6c6871d155cd21

      SHA512

      f934f2f31d7bd885e52aecfb5c2539109a73a031152fbaafd1baa766d699ae6221f220727e854494d0ee00f2ae00a392d415ed01a10af1ec1e2cd6d76f90403c

    • memory/1124-93-0x00000000708C0000-0x0000000070C14000-memory.dmp

      Filesize

      3.3MB

    • memory/1124-92-0x0000000070140000-0x000000007018C000-memory.dmp

      Filesize

      304KB

    • memory/1416-179-0x0000000006470000-0x0000000006484000-memory.dmp

      Filesize

      80KB

    • memory/1416-178-0x0000000007C50000-0x0000000007C61000-memory.dmp

      Filesize

      68KB

    • memory/1416-163-0x0000000005FC0000-0x0000000006314000-memory.dmp

      Filesize

      3.3MB

    • memory/1416-165-0x0000000006C60000-0x0000000006CAC000-memory.dmp

      Filesize

      304KB

    • memory/1416-166-0x0000000070060000-0x00000000700AC000-memory.dmp

      Filesize

      304KB

    • memory/1416-177-0x0000000007990000-0x0000000007A33000-memory.dmp

      Filesize

      652KB

    • memory/1416-167-0x0000000070490000-0x00000000707E4000-memory.dmp

      Filesize

      3.3MB

    • memory/1660-195-0x0000000070810000-0x0000000070B64000-memory.dmp

      Filesize

      3.3MB

    • memory/1660-190-0x00000000059A0000-0x0000000005CF4000-memory.dmp

      Filesize

      3.3MB

    • memory/1660-194-0x0000000070060000-0x00000000700AC000-memory.dmp

      Filesize

      304KB

    • memory/1696-60-0x0000000005D10000-0x0000000006064000-memory.dmp

      Filesize

      3.3MB

    • memory/1696-76-0x0000000007540000-0x00000000075E3000-memory.dmp

      Filesize

      652KB

    • memory/1696-65-0x0000000070140000-0x000000007018C000-memory.dmp

      Filesize

      304KB

    • memory/1696-66-0x00000000708C0000-0x0000000070C14000-memory.dmp

      Filesize

      3.3MB

    • memory/1696-77-0x0000000007860000-0x0000000007871000-memory.dmp

      Filesize

      68KB

    • memory/1696-78-0x00000000078B0000-0x00000000078C4000-memory.dmp

      Filesize

      80KB

    • memory/2272-211-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/2344-193-0x0000000004960000-0x000000000524B000-memory.dmp

      Filesize

      8.9MB

    • memory/2344-152-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/2344-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/2344-2-0x0000000004960000-0x000000000524B000-memory.dmp

      Filesize

      8.9MB

    • memory/2344-192-0x0000000004550000-0x0000000004958000-memory.dmp

      Filesize

      4.0MB

    • memory/2344-1-0x0000000004550000-0x0000000004958000-memory.dmp

      Filesize

      4.0MB

    • memory/2344-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

    • memory/2788-47-0x0000000007D70000-0x0000000007D7E000-memory.dmp

      Filesize

      56KB

    • memory/2788-43-0x00000000742A0000-0x0000000074A50000-memory.dmp

      Filesize

      7.7MB

    • memory/2788-49-0x0000000007DD0000-0x0000000007DEA000-memory.dmp

      Filesize

      104KB

    • memory/2788-50-0x0000000007DC0000-0x0000000007DC8000-memory.dmp

      Filesize

      32KB

    • memory/2788-48-0x0000000007D80000-0x0000000007D94000-memory.dmp

      Filesize

      80KB

    • memory/2788-11-0x0000000005850000-0x00000000058B6000-memory.dmp

      Filesize

      408KB

    • memory/2788-10-0x0000000005730000-0x0000000005796000-memory.dmp

      Filesize

      408KB

    • memory/2788-9-0x0000000005690000-0x00000000056B2000-memory.dmp

      Filesize

      136KB

    • memory/2788-8-0x00000000742A0000-0x0000000074A50000-memory.dmp

      Filesize

      7.7MB

    • memory/2788-6-0x00000000059E0000-0x0000000006008000-memory.dmp

      Filesize

      6.2MB

    • memory/2788-22-0x0000000006630000-0x000000000664E000-memory.dmp

      Filesize

      120KB

    • memory/2788-23-0x00000000066F0000-0x000000000673C000-memory.dmp

      Filesize

      304KB

    • memory/2788-7-0x00000000742A0000-0x0000000074A50000-memory.dmp

      Filesize

      7.7MB

    • memory/2788-5-0x0000000003050000-0x0000000003086000-memory.dmp

      Filesize

      216KB

    • memory/2788-24-0x0000000006B90000-0x0000000006BD4000-memory.dmp

      Filesize

      272KB

    • memory/2788-25-0x0000000007760000-0x00000000077D6000-memory.dmp

      Filesize

      472KB

    • memory/2788-21-0x0000000006210000-0x0000000006564000-memory.dmp

      Filesize

      3.3MB

    • memory/2788-4-0x00000000742AE000-0x00000000742AF000-memory.dmp

      Filesize

      4KB

    • memory/2788-46-0x0000000007D30000-0x0000000007D41000-memory.dmp

      Filesize

      68KB

    • memory/2788-45-0x00000000084E0000-0x0000000008576000-memory.dmp

      Filesize

      600KB

    • memory/2788-28-0x0000000007BC0000-0x0000000007BF2000-memory.dmp

      Filesize

      200KB

    • memory/2788-44-0x0000000007D10000-0x0000000007D1A000-memory.dmp

      Filesize

      40KB

    • memory/2788-42-0x0000000007C20000-0x0000000007CC3000-memory.dmp

      Filesize

      652KB

    • memory/2788-53-0x00000000742A0000-0x0000000074A50000-memory.dmp

      Filesize

      7.7MB

    • memory/2788-31-0x00000000702C0000-0x0000000070614000-memory.dmp

      Filesize

      3.3MB

    • memory/2788-30-0x00000000742A0000-0x0000000074A50000-memory.dmp

      Filesize

      7.7MB

    • memory/2788-41-0x0000000007C00000-0x0000000007C1E000-memory.dmp

      Filesize

      120KB

    • memory/2788-29-0x0000000070140000-0x000000007018C000-memory.dmp

      Filesize

      304KB

    • memory/2788-26-0x0000000007E60000-0x00000000084DA000-memory.dmp

      Filesize

      6.5MB

    • memory/2788-27-0x0000000007800000-0x000000000781A000-memory.dmp

      Filesize

      104KB

    • memory/4280-226-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/4280-214-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/4280-250-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/4280-247-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/4280-229-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/4280-217-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/4280-220-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/4280-232-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/4280-244-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/4280-241-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/4280-223-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/4280-235-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/4280-238-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

    • memory/4468-115-0x00000000708C0000-0x0000000070C14000-memory.dmp

      Filesize

      3.3MB

    • memory/4468-114-0x0000000070140000-0x000000007018C000-memory.dmp

      Filesize

      304KB

    • memory/4948-142-0x00000000702C0000-0x0000000070614000-memory.dmp

      Filesize

      3.3MB

    • memory/4948-141-0x0000000070140000-0x000000007018C000-memory.dmp

      Filesize

      304KB