Analysis
-
max time kernel
9s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
19-05-2024 20:35
General
-
Target
73bd536c26539ef63cdc61dc5c6f261f7f9767c54fcfdd6a6c3c616ce4420080.exe
-
Size
4.1MB
-
MD5
fee04bb4f2890f2e90b4b12de4b729c8
-
SHA1
2fcf87cec6fa8ce956b0442eab3a1335f48ce3f2
-
SHA256
73bd536c26539ef63cdc61dc5c6f261f7f9767c54fcfdd6a6c3c616ce4420080
-
SHA512
00ca03e958789e5c41060d7dec99cdc88e00c88dcd2653f2e0370bb42066c1f687cc304391ca9f891c445d858000675eda402985057314bbbf20a184c2abfb36
-
SSDEEP
98304:b7sgfTqZm7fywQIpjGUn+cmloZHued8miXbTsPufBvNF:bzgmDywQg+foZ8mw6Sb
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 18 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 3 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Using powershell.exe command.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\73bd536c26539ef63cdc61dc5c6f261f7f9767c54fcfdd6a6c3c616ce4420080.exe"C:\Users\Admin\AppData\Local\Temp\73bd536c26539ef63cdc61dc5c6f261f7f9767c54fcfdd6a6c3c616ce4420080.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\73bd536c26539ef63cdc61dc5c6f261f7f9767c54fcfdd6a6c3c616ce4420080.exe"C:\Users\Admin\AppData\Local\Temp\73bd536c26539ef63cdc61dc5c6f261f7f9767c54fcfdd6a6c3c616ce4420080.exe"2⤵
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
Filesize
19KB
MD53f4da4f7940fc049b168ce335f281ebe
SHA11abf97ff704bbb24c5c62a36a8b15d012868f50a
SHA25691ef9f490559b1d672f6fcc48f69316f25c1b74d44031b8f1f51c47706624731
SHA512bd42876fa777db69460cedbcf1163d07bcec6c7aab42807c12eb6548194b69dd33c61179ef1f8c09be4fd139706f4e2db8ce4d8153a25f0e31d4906e3cae8278
-
Filesize
19KB
MD58d28d56d93da0adac0ed262d5b522417
SHA145a5e434140dc2a09deb5f4c1e6f4103efa0779d
SHA25675e13621d97dda4b21411563d903f2bb259ce78c9503098a6b7557e099fca122
SHA51278cd2a7aca44d95c3422a80d896fb012e6b3771b2b5de0caaf7462b209c2f957a81d7eeffc86cb7e5e64b9c725f11ccb5ccce8007fcb2f0bd27a862fa1a9703f
-
Filesize
19KB
MD58113cff9b31ace9d09d80814f80cc87f
SHA11bb7e74e59a96b98429a4e27fdd449772c972abb
SHA2567d368cd82a3c4d5c6044a1678415be1b63ed679d7e73a054684b050649059a62
SHA512454127df3fd7bbc06c7bb1680aefa7b442f9e769697ffe3c9c2d6ecfdf0a1705ce70f3e4590ac3feed25b3143f28ff080038f1d8718fe1312a356a5b8f414ac2
-
Filesize
19KB
MD532d59286957440b5ea21334cf3c853b6
SHA13710e5db6ff6b41891cc42342270b6836c855000
SHA2563e21abf4de89e4a3e723cc0d3819daff7a7f8784d9ae4398871eb3161f76f78a
SHA51295ac71ae1a981ee9b448dd4b3fa852b511118b31948bd287b0e81d4ccf12f6339a6e1b51cbb44851abbf99a4162b329426ca602e779bfc01be4b66505f6c0f0c
-
Filesize
19KB
MD5da024a81661735f99cfa4f6997c07da1
SHA1fdc3b6bcf20eddf437465e5bc0a764fde5559f79
SHA2564e4b537e8467bf741d85a2c103375a241c5818e883a1b1e091ea67dbfe8e12b6
SHA512df74f4b6415039e3073534f0f964f9e189bfedd56c11ce0b894bd3bb1988dc800960733a1cc2283bae6841a52bd2d34f10f41aaddde37a255abe40bba46d70e3
-
Filesize
4.1MB
MD5fee04bb4f2890f2e90b4b12de4b729c8
SHA12fcf87cec6fa8ce956b0442eab3a1335f48ce3f2
SHA25673bd536c26539ef63cdc61dc5c6f261f7f9767c54fcfdd6a6c3c616ce4420080
SHA51200ca03e958789e5c41060d7dec99cdc88e00c88dcd2653f2e0370bb42066c1f687cc304391ca9f891c445d858000675eda402985057314bbbf20a184c2abfb36
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
4.0MB
-
Filesize
35.2MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
84KB
-
Filesize
304KB
-
Filesize
68KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
656KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
35.2MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
656KB
-
Filesize
3.3MB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
84KB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
408KB
-
Filesize
56KB
-
Filesize
208KB
-
Filesize
304KB
-
Filesize
280KB
-
Filesize
104KB
-
Filesize
3.3MB
-
Filesize
84KB
-
Filesize
32KB
-
Filesize
6.5MB
-
Filesize
656KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4.9MB
-
Filesize
4.9MB