Analysis
-
max time kernel
10s -
max time network
148s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
20-05-2024 04:06
General
-
Target
d6ec0f8d9d9b81234178fa2c4803cdf07f7f547c50fb7498427b159149b02775.exe
-
Size
4.1MB
-
MD5
9f5965ffdf58de4decac2fa51fc456e6
-
SHA1
5dc9dc74560856288faa329017588aef1d637544
-
SHA256
d6ec0f8d9d9b81234178fa2c4803cdf07f7f547c50fb7498427b159149b02775
-
SHA512
592b416bc3b7ed18beb6449d53e8a78ee831cb2a0b7070f96eb9f95b5b391f4431fab6733fde1c08c1c2362f86e0c9195ef4b45d4fb0a0cd76d91d5c10168d0f
-
SSDEEP
98304:eQAQcsa3GhfWYEvpb4LdECaqY+VYhFzXw/u5g9cAd9nx:eQAQcDPYxuCJe7X5ghfx
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 18 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 3 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Using powershell.exe command.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6ec0f8d9d9b81234178fa2c4803cdf07f7f547c50fb7498427b159149b02775.exe"C:\Users\Admin\AppData\Local\Temp\d6ec0f8d9d9b81234178fa2c4803cdf07f7f547c50fb7498427b159149b02775.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\d6ec0f8d9d9b81234178fa2c4803cdf07f7f547c50fb7498427b159149b02775.exe"C:\Users\Admin\AppData\Local\Temp\d6ec0f8d9d9b81234178fa2c4803cdf07f7f547c50fb7498427b159149b02775.exe"2⤵
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
Filesize
19KB
MD542196a7e64a102c4bd48d4d4092d4542
SHA165a4f3b85684ad45865c4bbffc237bfeca699535
SHA256b72d51f757a6417c056021e8b610dc8cfec14acc1f4a6d7a797aab7269eb3136
SHA512702694b64707ceb9d25894e147ac4ee876c4cb0dd3492bccc5718a67669600215abb54084412c95caa099b68b2716ffc512b7a18eddc743d489ceac940a52950
-
Filesize
19KB
MD52ed6aaa21e4b12afd808ca6a8fb3836e
SHA1b2e6788daf7fc37377b32f1d2a0fb2a0ecead5c1
SHA2560f2102eb0ca486085675e50a52f8e7b5843d98a48473905a66c1f52c3445e0db
SHA5127db0247c06e4397aaa84e78d3a1a00fbbcb0017f5c78177f046a86aecc3380f2265157226ae6d6a31546901598894e5521fc16df72995732121b3cfac1d71d6c
-
Filesize
19KB
MD5fe368c679e5077a8aa0f7694d2c29c41
SHA1a7f5b8be426b78bd8a9cb9d5e78e3accc839097c
SHA25612ceb9ff21274b57479c4a4743fe1086e49c5896f33bcdf5e36d4131d269e658
SHA512afcd01b3d1884bdebe3ce3d44c5e31a76b8f5a4c2381d476e0562db6a89afaa66942f51c2e6ff5a2fe05b9924884fb1c33b41410a6a6aeb4ab948bcb10a6588b
-
Filesize
19KB
MD55c5732a82e2428812cc872d9ce06874c
SHA19329888031a3e4e25981a2096fe3fdb3f78c786f
SHA256542abc35cb09140174a98152819bcb8286d3406e181e4b8d812ae69160c3ab5f
SHA512d46c7300da9834859244e58f143b7fd5d3ed1a18c421162ec1f928ad18da63937607d3afc96146167180167d82939d741bbfd64a3e42132c6bc7bd9764dd055b
-
Filesize
19KB
MD52d48b1413b9de0ae8b51042a9a474b35
SHA1e79b312e9df8a6ee4e502a044b9cac59ff633254
SHA2569aa619e05e386607f3d5c180ec551520e234c24a47405459e07ea13761f438ba
SHA5124ac3f207fa9d21f9a299606359ff7c94f6b9b6b9ec58fb811e011aaa3dd3eff8dad8b617be9390438062bf2517362e4f2f0392e430f507440f862906fc57489e
-
Filesize
4.1MB
MD59f5965ffdf58de4decac2fa51fc456e6
SHA15dc9dc74560856288faa329017588aef1d637544
SHA256d6ec0f8d9d9b81234178fa2c4803cdf07f7f547c50fb7498427b159149b02775
SHA512592b416bc3b7ed18beb6449d53e8a78ee831cb2a0b7070f96eb9f95b5b391f4431fab6733fde1c08c1c2362f86e0c9195ef4b45d4fb0a0cd76d91d5c10168d0f
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
3.3MB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
656KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
84KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
656KB
-
Filesize
84KB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
35.2MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
84KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
656KB
-
Filesize
120KB
-
Filesize
208KB
-
Filesize
280KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
35.2MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
8.9MB
-
Filesize
35.2MB
-
Filesize
4.0MB
-
Filesize
4.0MB