Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
24-05-2024 15:41
General
-
Target
5fe91888334e7f87e9fc44d33eaf9be0_NeikiAnalytics.exe
-
Size
4.1MB
-
MD5
5fe91888334e7f87e9fc44d33eaf9be0
-
SHA1
cc472952110df8fc1a27f22f6d1ad3a073dfb568
-
SHA256
f306f8ee98f47d3c97f01fc00b733bf2bcef4289930d4385e0ee18a311c646ed
-
SHA512
52bd3104f5916e0fbba078278e46af0c9553f2d49fc6e09702c9f28d1c6274723a44fc77a37de4a998a34ecb3859127fe1506ef5de5aadaf8b6779d3a93ef933
-
SSDEEP
98304:GQAQcsa3GhfWYEvpb4LdECaqY+VYhFzXw/u5g9cAd9nB:GQAQcDPYxuCJe7X5ghfB
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 19 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Using powershell.exe command.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fe91888334e7f87e9fc44d33eaf9be0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5fe91888334e7f87e9fc44d33eaf9be0_NeikiAnalytics.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5fe91888334e7f87e9fc44d33eaf9be0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5fe91888334e7f87e9fc44d33eaf9be0_NeikiAnalytics.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gg1sl4ee.bbl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD52d7beead0ac6951fca898fb5a41b9718
SHA12c201713b9f82c00b9938151dbc7a59adc271e11
SHA256996448c05a33ad2e4a242166e3fa4c0b2fc0dd3d52449021d591f2cf59874e63
SHA5121d8181a3b4588ef0b654b0c66ff7299b1216103ee768623ca27e3b1b935ae72b7a82c2d07c5972d1c9d829b4327a631c906940fc83bacc92867acf038820e3c6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD511b956be25ae4b0852c50103e6d12db8
SHA129119496705f5d10b6b8db83375c41f10ced793b
SHA256fc85518302ef6d47f4a9205e35cca7d9675efcb06fe665a41bb4730aadebb2b1
SHA51205c8f5b647531b36f6766057d6f7691012054cad2f5fa075fadeaf3d64c43a8f0c8563bbfd9b582eceec3be685e3791df5f4d9630e0af209fc7ba7664119abe7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD55679449386f2e9ad1cf157722ea81aa3
SHA1bb98adf4eecf5aecc236423bad4a6a931b15cdb5
SHA2567864d811617e8e2f5b55f0e3f176c935db22e2ddecdf4e393d758bc3910451e5
SHA512969d1f33a9f315abff82393c57c14ce948d1cca6230c624fb431928db83f48f0320a939e605db9c38d9b1b678b973d18b7572e0d0dc59f58afbde4fd364858c8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD509fd101aecb5ecc84f49500dd0af9505
SHA13aba96ca9afa10c9fdca85e2eb99c455b952ab4f
SHA2564d75fbafd5cca7f0d2652a9a536c2f55e864ab56954f1aad90af3ff1ff04dc46
SHA5124c12d34444b8fd9ebcb5bb54e11b0488f89642613e68096737f60e7dcf2f09df6ca3df08752ad8917fca83d2d077eb509a7445a7bcaf14cea1e867c7d788feea
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5af9970862d72fb6713df963a8750c297
SHA1f0181ebdde47e50c326228b9205a89ba63cb8805
SHA256a42b05ee22011bd5d627de3f8d2d7628e004f72065a8d6e1e93707e3d267dbde
SHA512326875d86b921bb9c7b6e915ec0f3f32b9d10655c711a7b81854663f33a1dda2a4daa78ab5c0080aea10d398883c2a2268a41b5d64491c2d78635c5646658910
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD55fe91888334e7f87e9fc44d33eaf9be0
SHA1cc472952110df8fc1a27f22f6d1ad3a073dfb568
SHA256f306f8ee98f47d3c97f01fc00b733bf2bcef4289930d4385e0ee18a311c646ed
SHA51252bd3104f5916e0fbba078278e46af0c9553f2d49fc6e09702c9f28d1c6274723a44fc77a37de4a998a34ecb3859127fe1506ef5de5aadaf8b6779d3a93ef933
-
memory/516-176-0x0000000005D50000-0x0000000005D9C000-memory.dmpFilesize
304KB
-
memory/516-174-0x0000000005620000-0x0000000005974000-memory.dmpFilesize
3.3MB
-
memory/516-177-0x0000000070270000-0x00000000702BC000-memory.dmpFilesize
304KB
-
memory/516-178-0x0000000070860000-0x0000000070BB4000-memory.dmpFilesize
3.3MB
-
memory/516-188-0x0000000006F70000-0x0000000007013000-memory.dmpFilesize
652KB
-
memory/516-189-0x0000000007280000-0x0000000007291000-memory.dmpFilesize
68KB
-
memory/516-190-0x0000000005AE0000-0x0000000005AF4000-memory.dmpFilesize
80KB
-
memory/1052-162-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/1840-28-0x0000000007220000-0x0000000007252000-memory.dmpFilesize
200KB
-
memory/1840-7-0x0000000074450000-0x0000000074C00000-memory.dmpFilesize
7.7MB
-
memory/1840-30-0x0000000070A70000-0x0000000070DC4000-memory.dmpFilesize
3.3MB
-
memory/1840-29-0x00000000702F0000-0x000000007033C000-memory.dmpFilesize
304KB
-
memory/1840-40-0x0000000007260000-0x000000000727E000-memory.dmpFilesize
120KB
-
memory/1840-4-0x000000007445E000-0x000000007445F000-memory.dmpFilesize
4KB
-
memory/1840-41-0x0000000007280000-0x0000000007323000-memory.dmpFilesize
652KB
-
memory/1840-42-0x0000000007370000-0x000000000737A000-memory.dmpFilesize
40KB
-
memory/1840-43-0x0000000074450000-0x0000000074C00000-memory.dmpFilesize
7.7MB
-
memory/1840-44-0x0000000007480000-0x0000000007516000-memory.dmpFilesize
600KB
-
memory/1840-45-0x0000000007380000-0x0000000007391000-memory.dmpFilesize
68KB
-
memory/1840-46-0x0000000074450000-0x0000000074C00000-memory.dmpFilesize
7.7MB
-
memory/1840-47-0x00000000073C0000-0x00000000073CE000-memory.dmpFilesize
56KB
-
memory/1840-48-0x00000000073E0000-0x00000000073F4000-memory.dmpFilesize
80KB
-
memory/1840-49-0x0000000007420000-0x000000000743A000-memory.dmpFilesize
104KB
-
memory/1840-50-0x0000000007410000-0x0000000007418000-memory.dmpFilesize
32KB
-
memory/1840-53-0x0000000074450000-0x0000000074C00000-memory.dmpFilesize
7.7MB
-
memory/1840-5-0x00000000026A0000-0x00000000026D6000-memory.dmpFilesize
216KB
-
memory/1840-6-0x0000000005050000-0x0000000005678000-memory.dmpFilesize
6.2MB
-
memory/1840-17-0x00000000056F0000-0x0000000005A44000-memory.dmpFilesize
3.3MB
-
memory/1840-11-0x0000000005680000-0x00000000056E6000-memory.dmpFilesize
408KB
-
memory/1840-22-0x0000000005CB0000-0x0000000005CCE000-memory.dmpFilesize
120KB
-
memory/1840-10-0x0000000004F70000-0x0000000004FD6000-memory.dmpFilesize
408KB
-
memory/1840-23-0x0000000005CE0000-0x0000000005D2C000-memory.dmpFilesize
304KB
-
memory/1840-9-0x0000000004ED0000-0x0000000004EF2000-memory.dmpFilesize
136KB
-
memory/1840-26-0x00000000076F0000-0x0000000007D6A000-memory.dmpFilesize
6.5MB
-
memory/1840-24-0x0000000006230000-0x0000000006274000-memory.dmpFilesize
272KB
-
memory/1840-27-0x0000000007070000-0x000000000708A000-memory.dmpFilesize
104KB
-
memory/1840-8-0x0000000074450000-0x0000000074C00000-memory.dmpFilesize
7.7MB
-
memory/1840-25-0x0000000006DC0000-0x0000000006E36000-memory.dmpFilesize
472KB
-
memory/2044-82-0x0000000007730000-0x0000000007744000-memory.dmpFilesize
80KB
-
memory/2044-81-0x00000000076E0000-0x00000000076F1000-memory.dmpFilesize
68KB
-
memory/2044-80-0x0000000007490000-0x0000000007533000-memory.dmpFilesize
652KB
-
memory/2044-69-0x00000000703F0000-0x000000007043C000-memory.dmpFilesize
304KB
-
memory/2044-70-0x0000000070B90000-0x0000000070EE4000-memory.dmpFilesize
3.3MB
-
memory/2044-68-0x0000000006220000-0x000000000626C000-memory.dmpFilesize
304KB
-
memory/2044-60-0x0000000005B60000-0x0000000005EB4000-memory.dmpFilesize
3.3MB
-
memory/2228-97-0x00000000703F0000-0x000000007043C000-memory.dmpFilesize
304KB
-
memory/2228-98-0x0000000070BB0000-0x0000000070F04000-memory.dmpFilesize
3.3MB
-
memory/2228-91-0x0000000005D00000-0x0000000006054000-memory.dmpFilesize
3.3MB
-
memory/2424-120-0x00000000703F0000-0x000000007043C000-memory.dmpFilesize
304KB
-
memory/2424-121-0x0000000070590000-0x00000000708E4000-memory.dmpFilesize
3.3MB
-
memory/2424-118-0x0000000005E60000-0x00000000061B4000-memory.dmpFilesize
3.3MB
-
memory/4020-150-0x00000000704D0000-0x0000000070824000-memory.dmpFilesize
3.3MB
-
memory/4020-160-0x0000000006D20000-0x0000000006DC3000-memory.dmpFilesize
652KB
-
memory/4020-161-0x0000000005460000-0x0000000005471000-memory.dmpFilesize
68KB
-
memory/4020-149-0x0000000070350000-0x000000007039C000-memory.dmpFilesize
304KB
-
memory/4020-163-0x00000000054A0000-0x00000000054B4000-memory.dmpFilesize
80KB
-
memory/4020-148-0x0000000005B40000-0x0000000005B8C000-memory.dmpFilesize
304KB
-
memory/4020-146-0x0000000005600000-0x0000000005954000-memory.dmpFilesize
3.3MB
-
memory/4296-3-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4296-234-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/4296-56-0x0000000004930000-0x000000000521B000-memory.dmpFilesize
8.9MB
-
memory/4296-1-0x0000000004520000-0x0000000004921000-memory.dmpFilesize
4.0MB
-
memory/4296-244-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/4296-54-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/4296-242-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/4296-240-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/4296-2-0x0000000004930000-0x000000000521B000-memory.dmpFilesize
8.9MB
-
memory/4296-217-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/4296-222-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/4296-224-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/4296-226-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/4296-228-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/4296-231-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/4296-232-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/4296-57-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4296-236-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/4296-238-0x0000000000400000-0x0000000002733000-memory.dmpFilesize
35.2MB
-
memory/4308-204-0x0000000070A10000-0x0000000070D64000-memory.dmpFilesize
3.3MB
-
memory/4308-203-0x0000000070270000-0x00000000702BC000-memory.dmpFilesize
304KB
-
memory/4308-192-0x0000000005D80000-0x00000000060D4000-memory.dmpFilesize
3.3MB