Overview

overview

10

Static

static

10

2024-09-26...ch.exe

windows7-x64

10

2024-09-26...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 12:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe

  • Size

    8.3MB

  • MD5

    bbc984e453abf2fe658869b284a52dbf

  • SHA1

    67efe0a521434db39b9cc93c714f126d3691a8a3

  • SHA256

    74439b64c299dca464dbc4557a4821225567dd301e32c7c367f31c0858e4a7be

  • SHA512

    0d39e250e3fe12a8c69b98ffa55935a2b215d08997aa2205408ded8c572a2293829b497658e5b3af9ec70aad88edd04e209359abee6afd71d15f018ce555a170

  • SSDEEP

    98304:0kIhs4Oy515t3t/lsWbb0HEY8b/1qhZytTD5iq:0kws4RlzPwOshwN

Score
10/10
gluptebadiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 1 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies boot configuration data using bcdedit 14 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 13 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 3 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:800
    • C:\Users\Admin\AppData\Local\Temp\2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe"
      2⤵
      • Windows security bypass
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • Modifies data under HKEY_USERS
          PID:2660
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe ""
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Manipulates WinMon driver.
        • Manipulates WinMonFS driver.
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:592
        • C:\Windows\system32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:768
          • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
            "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system certificate store
            • Suspicious use of WriteProcessMemory
            PID:572
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2148
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2372
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2168
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2336
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1624
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1360
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1180
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2044
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:900
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:956
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:700
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -timeout 0
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1276
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2300
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2532
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\Sysnative\bcdedit.exe /v
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1516
          • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
            4⤵
            • Executes dropped EXE
            PID:1692
          • C:\Windows\system32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2776
    • C:\Windows\system32\makecab.exe
      "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240926123424.log C:\Windows\Logs\CBS\CbsPersist_20240926123424.cab
      1⤵
      • Drops file in Windows directory
      PID:2764

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    4
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    4
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
      Filesize

      8.3MB

      MD5

      fd2727132edd0b59fa33733daa11d9ef

      SHA1

      63e36198d90c4c2b9b09dd6786b82aba5f03d29a

      SHA256

      3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

      SHA512

      3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
      Filesize

      492KB

      MD5

      fafbf2197151d5ce947872a4b0bcbe16

      SHA1

      a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

      SHA256

      feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

      SHA512

      acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

      Download Submit

    • \Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      Filesize

      94KB

      MD5

      d98e78fd57db58a11f880b45bb659767

      SHA1

      ab70c0d3bd9103c07632eeecee9f51d198ed0e76

      SHA256

      414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

      SHA512

      aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

      Download Submit

    • \Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • \Users\Admin\AppData\Local\Temp\csrss\patch.exe
      Filesize

      1.7MB

      MD5

      13aaafe14eb60d6a718230e82c671d57

      SHA1

      e039dd924d12f264521b8e689426fb7ca95a0a7b

      SHA256

      f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

      SHA512

      ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

      Download Submit

    • \Users\Admin\AppData\Local\Temp\dbghelp.dll
      Filesize

      1.5MB

      MD5

      f0616fa8bc54ece07e3107057f74e4db

      SHA1

      b33995c4f9a004b7d806c4bb36040ee844781fca

      SHA256

      6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

      SHA512

      15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

      Download Submit

    • \Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
      Filesize

      5.3MB

      MD5

      1afff8d5352aecef2ecd47ffa02d7f7d

      SHA1

      8b115b84efdb3a1b87f750d35822b2609e665bef

      SHA256

      c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

      SHA512

      e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

      Download Submit

    • \Users\Admin\AppData\Local\Temp\osloader.exe
      Filesize

      591KB

      MD5

      e2f68dc7fbd6e0bf031ca3809a739346

      SHA1

      9c35494898e65c8a62887f28e04c0359ab6f63f5

      SHA256

      b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

      SHA512

      26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

      Download Submit

    • \Users\Admin\AppData\Local\Temp\symsrv.dll
      Filesize

      163KB

      MD5

      5c399d34d8dc01741269ff1f1aca7554

      SHA1

      e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

      SHA256

      e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

      SHA512

      8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

      Download Submit

    • \Windows\rss\csrss.exe
      Filesize

      8.3MB

      MD5

      bbc984e453abf2fe658869b284a52dbf

      SHA1

      67efe0a521434db39b9cc93c714f126d3691a8a3

      SHA256

      74439b64c299dca464dbc4557a4821225567dd301e32c7c367f31c0858e4a7be

      SHA512

      0d39e250e3fe12a8c69b98ffa55935a2b215d08997aa2205408ded8c572a2293829b497658e5b3af9ec70aad88edd04e209359abee6afd71d15f018ce555a170

      Download Submit

    • memory/572-27-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/572-33-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download