Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/03/2024, 07:30
Static task
static1
Behavioral task
behavioral1
Sample
Request For Quotation Details_Ref.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Request For Quotation Details_Ref.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fangarme/Unfrocked/Beside.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fangarme/Unfrocked/Beside.ps1
Resource
win10v2004-20240226-en
General
-
Target
Request For Quotation Details_Ref.exe
-
Size
963KB
-
MD5
67427fb1fb379997467716984fe0a9ab
-
SHA1
091aef3b23437ea50aa98200559b988d00802f47
-
SHA256
6672c4dd15ff126d4b6fe7efb05fde64485256dd3ce739e0df983cf26c7d553c
-
SHA512
eab16dc2f49784cf5f91b4886d4323dc162b9ab290a607cbf101b762a4a455357973d432fa898b5a5ce26e2c27e0ee0718ec28d43bb145733f45ae2c944672dc
-
SSDEEP
24576:3bZCmf67FtuZFX3KJQgSAA530CswlA+6dqdvpoUF3r:r3f67FtuZB3oQFms1F3r
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 drive.google.com 5 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 656 wab.exe 656 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2368 powershell.exe 656 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2368 set thread context of 656 2368 powershell.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2368 powershell.exe 2368 powershell.exe 2368 powershell.exe 2368 powershell.exe 2368 powershell.exe 2368 powershell.exe 2368 powershell.exe 2368 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2368 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 656 wab.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2368 2236 Request For Quotation Details_Ref.exe 30 PID 2236 wrote to memory of 2368 2236 Request For Quotation Details_Ref.exe 30 PID 2236 wrote to memory of 2368 2236 Request For Quotation Details_Ref.exe 30 PID 2236 wrote to memory of 2368 2236 Request For Quotation Details_Ref.exe 30 PID 2368 wrote to memory of 1976 2368 powershell.exe 32 PID 2368 wrote to memory of 1976 2368 powershell.exe 32 PID 2368 wrote to memory of 1976 2368 powershell.exe 32 PID 2368 wrote to memory of 1976 2368 powershell.exe 32 PID 2368 wrote to memory of 656 2368 powershell.exe 34 PID 2368 wrote to memory of 656 2368 powershell.exe 34 PID 2368 wrote to memory of 656 2368 powershell.exe 34 PID 2368 wrote to memory of 656 2368 powershell.exe 34 PID 2368 wrote to memory of 656 2368 powershell.exe 34 PID 2368 wrote to memory of 656 2368 powershell.exe 34 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request For Quotation Details_Ref.exe"C:\Users\Admin\AppData\Local\Temp\Request For Quotation Details_Ref.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Humiture=Get-Content 'C:\Users\Admin\AppData\Local\butikstiders\Sjunger\Fangarme\Unfrocked\Beside.Fst';$Superprelatical=$Humiture.SubString(17309,3);.$Superprelatical($Humiture)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:1976
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:656
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD54b7717b799924b965c87395fd3525e75
SHA1497905fee98b47d49d2a307e63a3a150e9024da4
SHA2563328223bc86a8827b1790755d0c91c6b7f3cea91b18f8cfb24247ca0526ecf60
SHA512eabcd57e04d51874ef723663443f4f61abd1a11877f9c78e9724e1af0407f8f89fe4e22df66af96f3a3654b77fb197c8d93235764d52b3a91c513fed8a66ba0e
-
Filesize
340KB
MD5097792aa123380b90cfd2566399715f4
SHA10ba8bb7038f196a578fcdb621f1e5b76cacdb15f
SHA2561decefd3bc41fcb2b74d02694349703e171db461dedd33b328a580076d4aea19
SHA5128a3f238eda5cc577940f4456daa7fe84f78409a5eba278a9bae2a8bfd71ffb3d2444481de5979b20a495ac94a02d78cb649e6a8177cae4d4a997e12c57d345c0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b