Analysis
-
max time kernel
37s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 02:45
Static task
static1
Behavioral task
behavioral1
Sample
665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
General
-
Target
665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe
-
Size
551KB
-
MD5
341dab4037e9eff3fa0f34fb8382f30c
-
SHA1
9833559bcda07e6976364672f6b7c8bcef84571f
-
SHA256
665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea
-
SHA512
bd0d81ddde528f9987f749f9789d6a32300c7eef5d98593c4fc708d0352d0c8828982482894bd8ac9e768e320f4ba5fede2ecd8937a461dadad4015be2940f3d
-
SSDEEP
6144:ImOP0pJkkuNjE241F13gyLWoz6XVasKvGSz7tvIPykUn5CRFaPyCoUtU7Hi8R55i:pkNE2cL3rKou+vGEZvx5CD1W4i83bWL
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
pid Process 4484 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 50 drive.google.com 51 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 4464 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe 4464 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4484 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe 4464 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4484 set thread context of 4464 4484 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe 99 -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\underskrider.pha 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe File opened for modification C:\Program Files (x86)\likvidationer\glamorise.ini 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe File opened for modification C:\Program Files (x86)\Common Files\unvariegated\Enker.non 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\frugtsaftens.urs 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe File opened for modification C:\Windows\resources\0409\Escapee246\svingturenes.ini 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe File opened for modification C:\Windows\overrealistic.ini 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4484 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4484 wrote to memory of 4464 4484 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe 99 PID 4484 wrote to memory of 4464 4484 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe 99 PID 4484 wrote to memory of 4464 4484 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe 99 PID 4484 wrote to memory of 4464 4484 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe 99 PID 4484 wrote to memory of 4464 4484 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe 99 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe"C:\Users\Admin\AppData\Local\Temp\665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe"C:\Users\Admin\AppData\Local\Temp\665b8dea01643cce577cc8cc6cc1677e78cbf4559b7c0fbd0446dee65970b4ea.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- outlook_office_path
- outlook_win_path
PID:4464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD59625d5b1754bc4ff29281d415d27a0fd
SHA180e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b