| File name: | app.exe |
| Full analysis: | https://app.any.run/tasks/692fb4ea-1cee-4906-baaa-a119c45fe9c2 |
| Verdict: | Malicious activity |
| Threats: | Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for. |
| Analysis date: | December 03, 2019, 12:43:58 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 8A3DE76D6367611E3BFDB2766DD3D70C |
| SHA1: | 0296B09D66C24902359B0B414E7EAF64862774AA |
| SHA256: | 1FAFC153ADA2B934B2104DF7B5827AFBB5D503A30B1C9B5729EDD32408B5E8A6 |
| SSDEEP: | 98304:kWWYJZwPkvE7uGnuLd4LbmuR4JzJ5iNItsKo5/cuH:W2U97xCuuNTiNItGJ |
MALICIOUS
Connects to CnC server
- app.exe (PID: 2772)
- csrss.exe (PID: 284)
Known privilege escalation attack
- app.exe (PID: 2772)
GLUPTEBA was detected
- app.exe (PID: 2772)
- app.exe (PID: 2968)
- csrss.exe (PID: 284)
- windefender.exe (PID: 2364)
Changes settings of System certificates
- csrss.exe (PID: 284)
- app.exe (PID: 2772)
Changes the autorun value in the registry
- app.exe (PID: 2968)
Loads the Task Scheduler COM API
- schtasks.exe (PID: 1600)
- schtasks.exe (PID: 2752)
Modifies exclusions in Windows Defender
- app.exe (PID: 2968)
Uses Task Scheduler to autorun other applications
- csrss.exe (PID: 284)
Application was dropped or rewritten from another process
- windefender.exe (PID: 2364)
- windefender.exe (PID: 2188)
SUSPICIOUS
Application launched itself
- app.exe (PID: 3028)
Starts CMD.EXE for commands execution
- app.exe (PID: 2968)
- app.exe (PID: 2772)
- csrss.exe (PID: 284)
- windefender.exe (PID: 2364)
Reads the machine GUID from the registry
- csrss.exe (PID: 284)
- app.exe (PID: 2772)
Executable content was dropped or overwritten
- app.exe (PID: 2968)
- csrss.exe (PID: 284)
Uses NETSH.EXE for network configuration
- cmd.exe (PID: 2348)
- cmd.exe (PID: 444)
Creates files in the Windows directory
- app.exe (PID: 2968)
- csrss.exe (PID: 284)
Starts itself from another location
- app.exe (PID: 2968)
Modifies the open verb of a shell class
- app.exe (PID: 2772)
Creates files in the driver directory
- csrss.exe (PID: 284)
Executed as Windows Service
- windefender.exe (PID: 2188)
Adds / modifies Windows certificates
- app.exe (PID: 2772)
- csrss.exe (PID: 284)
Starts SC.EXE for service management
- cmd.exe (PID: 3388)
- cmd.exe (PID: 2888)
- cmd.exe (PID: 2796)
- cmd.exe (PID: 3796)
Searches for installed software
- csrss.exe (PID: 284)
INFO
Reads settings of System Certificates
- app.exe (PID: 2772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| FileSubtype: | - |
|---|---|
| ObjectFileType: | Executable application |
| FileOS: | Windows NT 32-bit |
| FileFlags: | Debug |
| FileFlagsMask: | 0x003f |
| ProductVersionNumber: | 28.0.0.0 |
| FileVersionNumber: | 28.0.0.0 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 5 |
| ImageVersion: | - |
| OSVersion: | 5 |
| EntryPoint: | 0x1ceb |
| UninitializedDataSize: | - |
| InitializedDataSize: | 4007424 |
| CodeSize: | 37888 |
| LinkerVersion: | 9 |
| PEType: | PE32 |
| TimeStamp: | 2018:12:08 02:47:25+01:00 |
| MachineType: | Intel 386 or later, and compatibles |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 08-Dec-2018 01:47:25 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x000000D8 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 5 |
| Time date stamp: | 08-Dec-2018 01:47:25 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x000092D4 | 0x00009400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.58353 |
.rdata | 0x0000B000 | 0x0000224C | 0x00002400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.35535 |
.data | 0x0000E000 | 0x003C4DAC | 0x003A6400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99862 |
.rsrc | 0x003D3000 | 0x00332BD0 | 0x00008C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.26584 |
.reloc | 0x00706000 | 0x000035E4 | 0x00003600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 1.73075 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 3.37333 | 524 | UNKNOWN | UNKNOWN | RT_VERSION |
2 | 4.47111 | 2216 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 4.4107 | 1736 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 4.41869 | 1384 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 4.77959 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 5.2312 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
7 | 4.79749 | 2440 | UNKNOWN | UNKNOWN | RT_ICON |
8 | 3.11822 | 478 | UNKNOWN | UNKNOWN | RT_STRING |
9 | 3.25346 | 1096 | UNKNOWN | UNKNOWN | RT_STRING |
10 | 3.76287 | 2216 | UNKNOWN | UNKNOWN | RT_CURSOR |
Imports
ADVAPI32.dll |
KERNEL32.dll |
USER32.dll |
Total processes
73
Monitored processes
24
Malicious processes
7
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2772 | "C:\Users\admin\AppData\Local\Temp\app.exe" | C:\Users\admin\AppData\Local\Temp\app.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3392 | cmd.exe /C CompMgmtLauncher | C:\Windows\system32\cmd.exe | — | app.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 4016 | CompMgmtLauncher | C:\Windows\system32\CompMgmtLauncher.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Computer Management Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1796 | "C:\Windows\system32\CompMgmtLauncher.exe" | C:\Windows\system32\CompMgmtLauncher.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Computer Management Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2824 | "C:\Windows\system32\CompMgmtLauncher.exe" | C:\Windows\system32\CompMgmtLauncher.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Computer Management Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3028 | "C:\Users\admin\AppData\Local\Temp\app.exe" | C:\Users\admin\AppData\Local\Temp\app.exe | — | CompMgmtLauncher.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2968 | "C:\Users\admin\AppData\Local\Temp\app.exe" | C:\Users\admin\AppData\Local\Temp\app.exe | app.exe | ||||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
| 444 | cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes" | C:\Windows\system32\cmd.exe | — | app.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2812 | netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes | C:\Windows\system32\netsh.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2348 | cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes" | C:\Windows\system32\cmd.exe | — | app.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
1 791
Read events
1 404
Write events
384
Delete events
3
Modification events
| (PID) Process: | (2772) app.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\TestApp |
| Operation: | write | Name: | Name |
Value: AutumnMorning | |||
| (PID) Process: | (2772) app.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\TestApp |
| Operation: | write | Name: | Firewall |
Value: | |||
| (PID) Process: | (2772) app.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\TestApp |
| Operation: | write | Name: | Defender |
Value: | |||
| (PID) Process: | (2772) app.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\TestApp |
| Operation: | write | Name: | Servers |
Value: https://venoxcontrol.com | |||
| (PID) Process: | (2772) app.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\TestApp |
| Operation: | write | Name: | UUID |
Value: | |||
| (PID) Process: | (2772) app.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\TestApp |
| Operation: | write | Name: | Command |
Value: 0000000000000000 | |||
| (PID) Process: | (2772) app.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\TestApp |
| Operation: | write | Name: | FirstInstallDate |
Value: 9F58E65D00000000 | |||
| (PID) Process: | (2772) app.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\TestApp |
| Operation: | write | Name: | ServiceVersion |
Value: | |||
| (PID) Process: | (2772) app.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\TestApp |
| Operation: | write | Name: | SC |
Value: 0000000000000000 | |||
| (PID) Process: | (2772) app.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\TestApp |
| Operation: | write | Name: | PGDSE |
Value: 0000000000000000 | |||
Executable files
5
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 284 | csrss.exe | C:\Windows\windefender.exe | executable | |
MD5:0D0BE9FD3B3B43BB47A22A702DD77820 | SHA256:C33051BDD518A4A41DE46D23CE6EAC4EF941B77B7F9183AEFF3ECF6EED699F44 | |||
| 284 | csrss.exe | C:\Windows\System32\drivers\WinmonFS.sys | executable | |
MD5:0D3A8D67CD969C6E096B4D29E910DD9E | SHA256:EB0BE2AC3833C843214A55B14C31125A7B600D5272BDF322C4871F42627576E4 | |||
| 284 | csrss.exe | C:\Windows\System32\drivers\Winmon.sys | executable | |
MD5:4EF0C39E632279D7B3672D2EFC071E5B | SHA256:889FB266C4C01BB4EF67635249C8DAEB641FC86CE62FC280B34BEEC415FB6129 | |||
| 284 | csrss.exe | C:\Windows\System32\drivers\WinmonProcessMonitor.sys | executable | |
MD5:622FD523A87CB55BE0B676A70C64E8F8 | SHA256:F609C6656A0C451DAFA5173DF0CD848F7CB7F22C4F150F8D16716C12593DE66C | |||
| 2968 | app.exe | C:\Windows\rss\csrss.exe | executable | |
MD5:8A3DE76D6367611E3BFDB2766DD3D70C | SHA256:1FAFC153ADA2B934B2104DF7B5827AFBB5D503A30B1C9B5729EDD32408B5E8A6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
3
Threats
3
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
284 | csrss.exe | 104.28.29.172:443 | mymindmix.ru | Cloudflare Inc | US | shared |
2772 | app.exe | 104.26.14.130:443 | venoxcontrol.com | Cloudflare Inc | US | shared |
284 | csrss.exe | 104.26.14.130:443 | venoxcontrol.com | Cloudflare Inc | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
venoxcontrol.com |
| unknown |
mymindmix.ru |
| suspicious |
nxtfdata.xyz |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | A Network Trojan was detected | ET TROJAN Observed Glupteba CnC Domain (venoxcontrol .com in TLS SNI) |
— | — | A Network Trojan was detected | ET TROJAN Observed Glupteba CnC Domain (venoxcontrol .com in TLS SNI) |
— | — | A Network Trojan was detected | ET TROJAN Glupteba CnC Domain in DNS Lookup |