Overview

overview

10

Static

static

1

Details An...es.exe

windows7-x64

10

Details An...es.exe

windows10-2004-x64

10

Immatrikul...ns.ps1

windows7-x64

8

Immatrikul...ns.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    157s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/03/2024, 02:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Details And Invoices.exe

  • Size

    685KB

  • MD5

    19ab7a94788f74e80ccd992895853796

  • SHA1

    a39d701199164f300f8715e72630ffae0679f86f

  • SHA256

    88bdbcde8b2d570627dc08c006aa9636a69beb588c9a17e651ce783a7450f7f1

  • SHA512

    4f7e2a2a99f29f21b60f5208937dc19cc6f350152fd8147069840261161715fe7ec6637ced5fd7e4f8f60c0d87879f32f33fd45325db4544435afec9b2f9c59a

  • SSDEEP

    12288:3NCe3Ka5ATVEhjHskBmQwwLETQsAVudsBvAFuMricTsN:3NCVaG+jMkcQwBQl4dkvAOUsN

Score
10/10
guloaderdownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Details And Invoices.exe
    "C:\Users\Admin\AppData\Local\Temp\Details And Invoices.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -windowstyle hidden "$Villys=Get-Content 'C:\Users\Admin\AppData\Local\Temp\clinginess\Calycanthemy92\unvitiated\Immatrikulerendes\Trogons.Thi';$Piniferous=$Villys.SubString(25882,3);.$Piniferous($Villys)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
        3⤵
          PID:1108
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:2280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\clinginess\Calycanthemy92\unvitiated\Immatrikulerendes\Trogons.Thi
      Filesize

      53KB

      MD5

      5fd33bf891b22a73cefc7584dab237d7

      SHA1

      c6412a8f00de3c3bf551dc729aeaa95b29e06786

      SHA256

      f0a0b4b3cac5b00ba4d6c865ff4492e2aca2e7521e9da310866512e7ec06a8ad

      SHA512

      744b84aecc85f04f6203e40285bb716b6c24121ec0b2266ee938ddaa195e46d4fb710541f78fe79738e68faff7beb097505c3867f4eea5f90e3e873f2480d110

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\clinginess\Calycanthemy92\unvitiated\Relativpronomens\Sportspc\Defektes\Encist\Ethologically.Reh
      Filesize

      308KB

      MD5

      b01e631f8c811b42b4591226c7d0b090

      SHA1

      4cf771606b7437d16ac5d8e649b7c379c9bfb9e0

      SHA256

      4d94c050d89bab0d92d66c3f70e2aa3dc6732d2c87daa57d60694d1f8f8e8243

      SHA512

      ac1045c977d2d001af655a2956f57a1780f7310d13c5ab6d1d1898cd31e3cd6ad2f8c27c0e1e01497e9b97c504e7bfd50e971d4fb4fbdd957e7dce84c6217c10

      Download Submit

    • C:\Windows\Resources\Mydatoxine.lnk
      Filesize

      1KB

      MD5

      3c193f0561e615fda9adee080fd57198

      SHA1

      4fdc78ac1cafd420b3cb564ad6a1cc27e7872361

      SHA256

      058090487dfca18497415a1b11bbaf3e5708c55485e49c394197f6e84b6eda95

      SHA512

      637f8ebd495579f16a2d40ae8374cb1c072d4cd7fa33aee83bf42b45522d7568695ba09d63ed169d26cca61867e17c414b9696c654b37098e9a8c329de631a32

      Download Submit

    • memory/2280-150-0x0000000000A20000-0x0000000001A82000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/2280-149-0x0000000001A90000-0x0000000002E13000-memory.dmp

      Filesize

      19.5MB

      Download

    • memory/2280-148-0x0000000077560000-0x0000000077636000-memory.dmp

      Filesize

      856KB

      Download

    • memory/2280-147-0x0000000077596000-0x0000000077597000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2280-146-0x0000000077370000-0x0000000077519000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2280-145-0x0000000001A90000-0x0000000002E13000-memory.dmp

      Filesize

      19.5MB

      Download

    • memory/2704-137-0x0000000002780000-0x00000000027C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2704-144-0x0000000006380000-0x0000000007703000-memory.dmp

      Filesize

      19.5MB

      Download

    • memory/2704-136-0x0000000073BF0000-0x000000007419B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2704-134-0x0000000073BF0000-0x000000007419B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2704-138-0x0000000006380000-0x0000000007703000-memory.dmp

      Filesize

      19.5MB

      Download

    • memory/2704-139-0x0000000006380000-0x0000000007703000-memory.dmp

      Filesize

      19.5MB

      Download

    • memory/2704-141-0x0000000006080000-0x0000000006180000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2704-142-0x0000000077370000-0x0000000077519000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2704-143-0x0000000077560000-0x0000000077636000-memory.dmp

      Filesize

      856KB

      Download

    • memory/2704-135-0x00000000051B0000-0x00000000051B4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2704-132-0x0000000006080000-0x0000000006180000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2704-131-0x0000000002780000-0x00000000027C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2704-126-0x0000000073BF0000-0x000000007419B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2704-127-0x0000000002780000-0x00000000027C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2704-128-0x0000000002780000-0x00000000027C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2704-125-0x0000000073BF0000-0x000000007419B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2704-155-0x0000000006380000-0x0000000007703000-memory.dmp

      Filesize

      19.5MB

      Download