Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 13:49
Static task
static1
Behavioral task
behavioral1
Sample
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240412-en
General
-
Target
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe
-
Size
469KB
-
MD5
46bbacb63c2f6c440be347e99210c3a3
-
SHA1
8b3f6920bf657fd1973069540ec5990b2033e69a
-
SHA256
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e
-
SHA512
f51dafe7612d294a70872064d9c8b1352598def99242134e4dd5aa03ef62614d3222d5b430a8bb26fa63b7e177ec7229467bae58b1e86a0775a052dcab38f7d8
-
SSDEEP
6144:olJZfHKsHfGCZ71Cn3R1E1+hf6VkTJluAMHQaMWDLdzsaX4O6zTbw6hE4F0FDgCJ:oluqauAMeWm5OKU6O4eFFpd6MvV/lzD
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
Processes:
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exepid process 1716 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Tjenerskab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Kirkegangens\\Antiadiaphorist236.exe" 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe -
Drops file in System32 directory 1 IoCs
Processes:
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exedescription ioc process File opened for modification C:\Windows\SysWOW64\forementioned\kirstis.ini 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exepid process 1716 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe 572 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exedescription pid process target process PID 1716 set thread context of 572 1716 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe -
Drops file in Program Files directory 1 IoCs
Processes:
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\markprverne\tekstmarkeringen.str 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe -
Drops file in Windows directory 2 IoCs
Processes:
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exedescription ioc process File opened for modification C:\Windows\resources\0409\nuncupating.Enf 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe File opened for modification C:\Windows\Fonts\Dagsarbejdes.fin 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exepid process 1716 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exedescription pid process target process PID 1716 wrote to memory of 572 1716 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe PID 1716 wrote to memory of 572 1716 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe PID 1716 wrote to memory of 572 1716 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe PID 1716 wrote to memory of 572 1716 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe PID 1716 wrote to memory of 572 1716 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe PID 1716 wrote to memory of 572 1716 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe 3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe"C:\Users\Admin\AppData\Local\Temp\3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe"C:\Users\Admin\AppData\Local\Temp\3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5fc90dfb694d0e17b013d6f818bce41b0
SHA13243969886d640af3bfa442728b9f0dff9d5f5b0
SHA2567fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6