Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/03/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
RefTechnical Drawing Sheet.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RefTechnical Drawing Sheet.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Bedwarmer.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Bedwarmer.ps1
Resource
win10v2004-20240226-en
General
-
Target
RefTechnical Drawing Sheet.exe
-
Size
963KB
-
MD5
2f96e6fd36ceec8c32dcc6c7607a87bd
-
SHA1
89b9bd60c39a582da440112f12f939c90102d567
-
SHA256
11bfafb62ab5e5c115862409c849f069dc0903abf0f864783bea73472db19932
-
SHA512
755e29062263821fac7c37be3dd7e0b980804adbe301d1945c9098ca1cb8ae57f293a022a2e11677e404bac323b4e5995d4c57d45c2edb13595ff151547993b9
-
SSDEEP
12288:wbZfqmfr+7Iz6tuhHr2WX3rLKJQEKKHP9SxG4A1wF7dieRJ14BEtIX2UgGj+Xtah:wbZCmf67FtuZFX3KJQgl4KEoEoePUF3Z
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 drive.google.com 3 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 2468 wab.exe 2468 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1852 powershell.exe 2468 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1852 set thread context of 2468 1852 powershell.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1852 powershell.exe 1852 powershell.exe 1852 powershell.exe 1852 powershell.exe 1852 powershell.exe 1852 powershell.exe 1852 powershell.exe 1852 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 2468 wab.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 756 wrote to memory of 1852 756 RefTechnical Drawing Sheet.exe 28 PID 756 wrote to memory of 1852 756 RefTechnical Drawing Sheet.exe 28 PID 756 wrote to memory of 1852 756 RefTechnical Drawing Sheet.exe 28 PID 756 wrote to memory of 1852 756 RefTechnical Drawing Sheet.exe 28 PID 1852 wrote to memory of 2196 1852 powershell.exe 30 PID 1852 wrote to memory of 2196 1852 powershell.exe 30 PID 1852 wrote to memory of 2196 1852 powershell.exe 30 PID 1852 wrote to memory of 2196 1852 powershell.exe 30 PID 1852 wrote to memory of 2468 1852 powershell.exe 32 PID 1852 wrote to memory of 2468 1852 powershell.exe 32 PID 1852 wrote to memory of 2468 1852 powershell.exe 32 PID 1852 wrote to memory of 2468 1852 powershell.exe 32 PID 1852 wrote to memory of 2468 1852 powershell.exe 32 PID 1852 wrote to memory of 2468 1852 powershell.exe 32 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RefTechnical Drawing Sheet.exe"C:\Users\Admin\AppData\Local\Temp\RefTechnical Drawing Sheet.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Trykimprgnerede=Get-Content 'C:\Users\Admin\AppData\Local\butikstiders\Sjunger\Bedwarmer.Hom';$Ekstraparlementarisk=$Trykimprgnerede.SubString(59534,3);.$Ekstraparlementarisk($Trykimprgnerede)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:2196
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2468
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD5aae5fcb1e66470ef7a08ea335b80ac05
SHA19422c0898c87a134c72c6ffa35c594d93dba9dc9
SHA2568bd9205c7c8f112ff5cba1307842eddccc18e20e227cccb7b74e6a24e686b8b0
SHA512031d187a47a9b687d6822f34e74029f2f1cf4eb8687dc2846a3d84efbf9d30d5459870842a22cdab89130915501e2593f79b2a32da5c266d382120e0a042b072
-
Filesize
347KB
MD51178f466a9ac164a3ca05ffd715235dc
SHA1e593a180adbbb864047e9dbc5e07a6d27a252139
SHA25638bea98d1ec5467345cf29e1a7f1ec9a25fbe7801c8a498ec05e97b6dbf9545b
SHA51261269e7303efba0f6d2790b780b9f4348567c6ad48481822201b37e13c17f255d35b368d109ba6c9d9a66d9af1adb7f2db9e3ec6ab1b351f80fce368f23a3650
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1298544033-3225604241-2703760938-1000\0f5007522459c86e95ffcc62f32308f1_e3fd1d67-4513-4809-a7f1-bf54bd53bdbc
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1298544033-3225604241-2703760938-1000\0f5007522459c86e95ffcc62f32308f1_e3fd1d67-4513-4809-a7f1-bf54bd53bdbc
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b