Overview

overview

10

Static

static

1

6566ff53ea...cs.exe

windows7-x64

10

6566ff53ea...cs.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6566ff53eaf6bfbe8ad855a5fa34cb80_NeikiAnalytics.exe

  • Size

    4.2MB

  • Sample

    240617-jr5l7avfnm

  • MD5

    6566ff53eaf6bfbe8ad855a5fa34cb80

  • SHA1

    6643951875ae197672b3194078e46e8d9e3b4e2e

  • SHA256

    6a1b8a5fdc904ee34e5ef720da98b9d22fb7804ba1c99643118e312d8267a298

  • SHA512

    cfce6cfacbb07d3f7e29308f41f240636d4a988911e39e5f1865dc8dd87369f4e44b7aa4ced2b7c06bde684dd2f81ef9b9a4eff4d4e35ecd86715476013ad122

  • SSDEEP

    98304:VuMksqipP1XHlFWFXwmFrGSppmsRKA6e2iRIo9R1q7CHc:Rks3vXHKFwmqsRR/2MI8a7C8

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkittrojan

Malware Config

Targets

    • Target

      6566ff53eaf6bfbe8ad855a5fa34cb80_NeikiAnalytics.exe

    • Size

      4.2MB

    • MD5

      6566ff53eaf6bfbe8ad855a5fa34cb80

    • SHA1

      6643951875ae197672b3194078e46e8d9e3b4e2e

    • SHA256

      6a1b8a5fdc904ee34e5ef720da98b9d22fb7804ba1c99643118e312d8267a298

    • SHA512

      cfce6cfacbb07d3f7e29308f41f240636d4a988911e39e5f1865dc8dd87369f4e44b7aa4ced2b7c06bde684dd2f81ef9b9a4eff4d4e35ecd86715476013ad122

    • SSDEEP

      98304:VuMksqipP1XHlFWFXwmFrGSppmsRKA6e2iRIo9R1q7CHc:Rks3vXHKFwmqsRR/2MI8a7C8

    Score
    10/10
    gluptebadiscoverydropperevasionloaderpersistencerootkittrojanexecution

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • Windows security bypass

      evasiontrojan

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

      rootkitevasion

    • Modifies boot configuration data using bcdedit

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

3
T1562

Disable or Modify Tools

2
T1562.001

Disable or Modify System Firewall

1
T1562.004

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks