Overview

overview

10

Static

static

7

04995df8cb...e2.exe

windows7-x64

10

04995df8cb...e2.exe

windows10-2004-x64

10

14b162eed3...66.elf

debian-12-armhf

1

2cba66d97b...d8.exe

windows7-x64

10

2cba66d97b...d8.exe

windows10-2004-x64

10

2f84a18564...bc.elf

debian-12-armhf

1

620c15ed6f...8a.elf

ubuntu-20.04-amd64

10

623f93cf91...c8.wsf

windows7-x64

8

623f93cf91...c8.wsf

windows10-2004-x64

8

70932cac71...1a.elf

debian-12-armhf

1

CAHKHCM2404009CFS.exe

windows7-x64

10

CAHKHCM2404009CFS.exe

windows10-2004-x64

10

a552331bbe...60.elf

ubuntu-20.04-amd64

9

b9d1e862b5...f4.exe

windows7-x64

10

b9d1e862b5...f4.exe

windows10-2004-x64

4

Michelines.ps1

windows7-x64

8

Michelines.ps1

windows10-2004-x64

8

f601a6e5b8...bc.elf

debian-12-armhf

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-04-2024 01:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9d1e862b5f864aab90e418632cf973132a4b4cbe4044b1fb997d9dfbd7ad0f4.exe

  • Size

    1.1MB

  • MD5

    a0e9d68e9a8541eb30d6a31cae4a942b

  • SHA1

    3cae987132d7f45df56f77c1ff2a542cb64e64c0

  • SHA256

    b9d1e862b5f864aab90e418632cf973132a4b4cbe4044b1fb997d9dfbd7ad0f4

  • SHA512

    eebfe98652f6b7dffb7e57bdd73c80c073f0f1879ee8a86c17054e1e1ecc3bf5dcec66b4619944659b9038ecfca19254fec0cb60c5264d905382acc8fb0ea03a

  • SSDEEP

    24576:c0vvQvOM6sjFYk6IuhdTuvMJbmhQU/YydIE5Ltp:clvpN2zuvMxmhB/Ylyp

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9d1e862b5f864aab90e418632cf973132a4b4cbe4044b1fb997d9dfbd7ad0f4.exe
    "C:\Users\Admin\AppData\Local\Temp\b9d1e862b5f864aab90e418632cf973132a4b4cbe4044b1fb997d9dfbd7ad0f4.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Bissede=Get-Content 'C:\Users\Admin\AppData\Local\nervier\Estampede\sipunculacean\Michelines.All';$Flumes35=$Bissede.SubString(58005,3);.$Flumes35($Bissede)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
        3⤵
          PID:1364
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:2088
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkers" /t REG_EXPAND_SZ /d "%Philocaly% -windowstyle minimized $Atomlres=(Get-ItemProperty -Path 'HKCU:\Mayst\').Fordjelsesbesvrets;%Philocaly% ($Atomlres)"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1216
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkers" /t REG_EXPAND_SZ /d "%Philocaly% -windowstyle minimized $Atomlres=(Get-ItemProperty -Path 'HKCU:\Mayst\').Fordjelsesbesvrets;%Philocaly% ($Atomlres)"
              5⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:1936

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      03034a68e3b1b0a8a23b448ee4f2a139

      SHA1

      7090f7fb26f1061bc770348500a50922fee507f0

      SHA256

      80c7c3141fdd1c75d0ba0fa86e0779f50aebd797c85a867e3795b92064204d8f

      SHA512

      d5b7b386d30ee7d7cc0c36acffd6ece8751b7434fa33504cab33b1e48a8183074d42bd33989e8f972e670bdf7670ac21d74b7068c59305665615ab339f337edd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab6135.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar638D.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\Users\Admin\AppData\Local\nervier\Estampede\sipunculacean\Indskrnkningens.Meg
      Filesize

      301KB

      MD5

      50196fec4abccdb71d5f26eccdffb22b

      SHA1

      594f16df70de47019f285b72d39130885837a238

      SHA256

      592aa331c37790bb4627428385c85f843d839f2ebda2f621da438afb4edfe13d

      SHA512

      6a547e0c03fc7748b9637fa9c90784e30c4433d09b0488882d6b6792b41188a9ae2efa39f649da596d37d1079715842df315cae8fcdaf1482a5d804737d2192c

      Download Submit
    • C:\Users\Admin\AppData\Local\nervier\Estampede\sipunculacean\Michelines.All
      Filesize

      56KB

      MD5

      82340892cba1f6e4faaa080bb634cf9c

      SHA1

      56b029cbcada747897e9beff7c8f1013b8c9b6ce

      SHA256

      a03bb54517df231824d324ad20b79094efef9af20eff855e30a6f459bcc43912

      SHA512

      dfea5297d9aef9004af38f8604e74313f99d477199e797dbeec5367ec3e6c0000a4c62eeab54425deee14de5b1adb224f09956a10619cf03b821b2b91b84f5c7

      Download Submit
    • memory/1572-18-0x0000000073E90000-0x000000007443B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1572-19-0x00000000025D0000-0x0000000002610000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1572-30-0x00000000025D0000-0x0000000002610000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1572-25-0x0000000006570000-0x00000000092C6000-memory.dmp
      Filesize

      45.3MB

      Download
    • memory/1572-26-0x0000000077440000-0x00000000775E9000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/1572-27-0x0000000077630000-0x0000000077706000-memory.dmp
      Filesize

      856KB

      Download
    • memory/1572-119-0x0000000006570000-0x00000000092C6000-memory.dmp
      Filesize

      45.3MB

      Download
    • memory/1572-29-0x0000000073E90000-0x000000007443B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1572-24-0x0000000006570000-0x00000000092C6000-memory.dmp
      Filesize

      45.3MB

      Download
    • memory/1572-17-0x00000000025D0000-0x0000000002610000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1572-21-0x00000000025D0000-0x0000000002610000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1572-23-0x00000000055A0000-0x00000000055A4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1572-16-0x0000000073E90000-0x000000007443B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2088-32-0x0000000077630000-0x0000000077706000-memory.dmp
      Filesize

      856KB

      Download
    • memory/2088-33-0x0000000077666000-0x0000000077667000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2088-120-0x0000000077630000-0x0000000077706000-memory.dmp
      Filesize

      856KB

      Download
    • memory/2088-117-0x0000000001DA0000-0x0000000004AF6000-memory.dmp
      Filesize

      45.3MB

      Download
    • memory/2088-28-0x0000000001DA0000-0x0000000004AF6000-memory.dmp
      Filesize

      45.3MB

      Download
    • memory/2088-31-0x0000000077440000-0x00000000775E9000-memory.dmp
      Filesize

      1.7MB

      Download