Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2024, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
RefTechnical Drawing Sheet.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RefTechnical Drawing Sheet.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fdrelandskrligehed/Tenuto/Sauria/Handelsbalancerne122.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fdrelandskrligehed/Tenuto/Sauria/Handelsbalancerne122.ps1
Resource
win10v2004-20231215-en
General
-
Target
RefTechnical Drawing Sheet.exe
-
Size
953KB
-
MD5
971bdb03f3caf8bb34464d3629c6fd5a
-
SHA1
2c28ace22924960730814e5a787ffcadde187278
-
SHA256
4abdae9b05fb343406136ff0cf863e8f403dc294578f111a746b125d59c5c91b
-
SHA512
6e160db5481a91b18bfee7ecdd7a1a18150072f5c518b351c6ffa36f2b176ee46318e61c42b58e00278dc926446e5b040aa85e42ab610faf9bd8822d7bc4bcd2
-
SSDEEP
24576:lbZCmf67FtuZFX3KJQgI/tpWrZAOWaTUF3w:N3f67FtuZB3oQNpWDWawF3w
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 57 drive.google.com 58 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 4896 wab.exe 4896 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2200 powershell.exe 4896 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2200 set thread context of 4896 2200 powershell.exe 112 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2200 powershell.exe 2200 powershell.exe 2200 powershell.exe 2200 powershell.exe 2200 powershell.exe 2200 powershell.exe 2200 powershell.exe 2200 powershell.exe 2200 powershell.exe 2200 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2200 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 4896 wab.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2200 2820 RefTechnical Drawing Sheet.exe 98 PID 2820 wrote to memory of 2200 2820 RefTechnical Drawing Sheet.exe 98 PID 2820 wrote to memory of 2200 2820 RefTechnical Drawing Sheet.exe 98 PID 2200 wrote to memory of 4292 2200 powershell.exe 102 PID 2200 wrote to memory of 4292 2200 powershell.exe 102 PID 2200 wrote to memory of 4292 2200 powershell.exe 102 PID 2200 wrote to memory of 4896 2200 powershell.exe 112 PID 2200 wrote to memory of 4896 2200 powershell.exe 112 PID 2200 wrote to memory of 4896 2200 powershell.exe 112 PID 2200 wrote to memory of 4896 2200 powershell.exe 112 PID 2200 wrote to memory of 4896 2200 powershell.exe 112 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RefTechnical Drawing Sheet.exe"C:\Users\Admin\AppData\Local\Temp\RefTechnical Drawing Sheet.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Designeringen=Get-Content 'C:\Users\Admin\AppData\Local\butikstiders\Sjunger\Fdrelandskrligehed\Tenuto\Sauria\Handelsbalancerne122.San';$Indiciets=$Designeringen.SubString(58339,3);.$Indiciets($Designeringen)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:4292
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4896
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4168 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:3340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\butikstiders\Sjunger\Fdrelandskrligehed\Tenuto\Sauria\Handelsbalancerne122.San
Filesize57KB
MD50c865acf7c347c6dd359f98c8251a9bc
SHA1dc6ad24450f7a966e5c090abce2ec06f23cef9ae
SHA25600f3155ff5edff6c7b7286095854eae05446345e358018fee4c5fb141a458d7e
SHA512a7ead01800f440b0d4e8f07040818ed72ff1c768cb44ffc1823230b5bee96238b25373a652be4509c88cb371772da1061f5b14b3fa5a7e1e7833dc07d56f1aaa
-
Filesize
331KB
MD52bacc6e73f38a23b51232641499c7f06
SHA1a025b456d210fc55f396701e268fba2f3949905d
SHA2566225888e9e81bb79d091fcb742c75f5e5b38b0bf46836a1dcaeb7eaa680f6cc8
SHA512bf1996b6da8b026315a95fd71d61d4b730a37af1e461d2f8f42a57027aff5e914bfc121d41d00f38ae59e2f02c3bf43ce507f692742b3d84d9c1cce272ca6f79