Analysis
-
max time kernel
148s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13-02-2024 05:18
Static task
static1
Behavioral task
behavioral1
Sample
cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
General
-
Target
cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe
-
Size
1.1MB
-
MD5
2ac9cd56e3877efa00a0353cde71186f
-
SHA1
d0460a2b1fe30c342216048c4390af045b120146
-
SHA256
cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac
-
SHA512
e78d405d9b92319d396d488e4c104021a224789fabf09a278d252e1aa407cae1ce4d3562f1e6a18bc3151e16049a1a6d3687b6a4578fc4c946349d5292eb9e2d
-
SSDEEP
24576:oS5HuMJiUsl/f4g0lnQFpy54j3BjqgMQUWhypBj:B5o/falnQ+54j3ZftUNBj
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
pid Process 5068 cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Gaucheries = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Kerykeion126\\Tranlampe231.exe" wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 72 drive.google.com 73 drive.google.com -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\threshes.uds cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe File opened for modification C:\Windows\SysWOW64\lohoch.gim cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 5068 cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe 2708 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5068 set thread context of 2708 5068 cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe 94 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\forbandelsernes\kln.lio cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\enchasing.Pet cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe File opened for modification C:\Windows\Fonts\Forters67\Elektrotekniker.wra cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe File opened for modification C:\Windows\Tnkepauses.tro cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 5068 cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5068 wrote to memory of 2708 5068 cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe 94 PID 5068 wrote to memory of 2708 5068 cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe 94 PID 5068 wrote to memory of 2708 5068 cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe 94 PID 5068 wrote to memory of 2708 5068 cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe 94 PID 5068 wrote to memory of 2708 5068 cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe"C:\Users\Admin\AppData\Local\Temp\cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Users\Admin\AppData\Local\Temp\cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2708
-
Network
-
Remote address:8.8.8.8:53Request173.178.17.96.in-addr.arpaIN PTRResponse173.178.17.96.in-addr.arpaIN PTRa96-17-178-173deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request81.171.91.138.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request114.110.16.96.in-addr.arpaIN PTRResponse114.110.16.96.in-addr.arpaIN PTRa96-16-110-114deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestdrive.google.comIN AResponsedrive.google.comIN A172.217.169.46
-
Remote address:8.8.8.8:53Request227.16.217.172.in-addr.arpaIN PTRResponse227.16.217.172.in-addr.arpaIN PTRmad08s04-in-f31e100net227.16.217.172.in-addr.arpaIN PTRlhr48s28-in-f3�H
-
Remote address:8.8.8.8:53Request46.169.217.172.in-addr.arpaIN PTRResponse46.169.217.172.in-addr.arpaIN PTRlhr48s08-in-f141e100net
-
Remote address:8.8.8.8:53Requestdrive.usercontent.google.comIN AResponsedrive.usercontent.google.comIN A142.250.180.1
-
Remote address:8.8.8.8:53Request1.180.250.142.in-addr.arpaIN PTRResponse1.180.250.142.in-addr.arpaIN PTRlhr25s32-in-f11e100net
-
260 B 5
-
1.7kB 10.8kB 16 14
-
2.0kB 13.5kB 20 18
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
173.178.17.96.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
18.134.221.88.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
81.171.91.138.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
114.110.16.96.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
48.229.111.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
drive.google.com
DNS Response
172.217.169.46
-
73 B 140 B 1 1
DNS Request
227.16.217.172.in-addr.arpa
-
73 B 112 B 1 1
DNS Request
46.169.217.172.in-addr.arpa
-
74 B 90 B 1 1
DNS Request
drive.usercontent.google.com
DNS Response
142.250.180.1
-
72 B 110 B 1 1
DNS Request
1.180.250.142.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD517ed1c86bd67e78ade4712be48a7d2bd
SHA11cc9fe86d6d6030b4dae45ecddce5907991c01a0
SHA256bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
SHA5120cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5