Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 01:16
Static task
static1
Behavioral task
behavioral1
Sample
6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240226-en
General
-
Target
6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe
-
Size
549KB
-
MD5
4621fea50e1982e6f753efe7d1be2b35
-
SHA1
46072b07bfa96583ed03149a04411cbcf04eadf9
-
SHA256
6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603
-
SHA512
301e380d9e207caa7e994b251e2018207851a32f0c1850b3de669742c9d640d5254640d972e0143bc99e8cb2e3728bb7878814e66498928ff777d26c9bd206f5
-
SSDEEP
12288:8stfWr2zXogHMSwOdJ1JUTrNuVwik2Mx/DvMAM++:8st+r2zXZ/dJyrNuuik2yDc++
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Overfondle.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Overfondle.exe -
Loads dropped DLL 2 IoCs
Processes:
6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exeOverfondle.exepid process 228 6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe 4816 Overfondle.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hakkebrttet = "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\\noncoherent\\').Skvadredes;%elaf% ($Ultramicrotome)" reg.exe -
Drops file in System32 directory 1 IoCs
Processes:
6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exedescription ioc process File created C:\Windows\SysWOW64\psiloses.lnk 6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exeOverfondle.exepid process 3272 powershell.exe 4816 Overfondle.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3272 set thread context of 4816 3272 powershell.exe Overfondle.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Overfondle.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\Overfondle.exe nsis_installer_2 -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepid process 3272 powershell.exe 3272 powershell.exe 3272 powershell.exe 3272 powershell.exe 3272 powershell.exe 3272 powershell.exe 3272 powershell.exe 3272 powershell.exe 3272 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 3272 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3272 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exepowershell.exeOverfondle.execmd.exedescription pid process target process PID 228 wrote to memory of 3272 228 6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe powershell.exe PID 228 wrote to memory of 3272 228 6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe powershell.exe PID 228 wrote to memory of 3272 228 6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe powershell.exe PID 3272 wrote to memory of 5024 3272 powershell.exe cmd.exe PID 3272 wrote to memory of 5024 3272 powershell.exe cmd.exe PID 3272 wrote to memory of 5024 3272 powershell.exe cmd.exe PID 3272 wrote to memory of 4816 3272 powershell.exe Overfondle.exe PID 3272 wrote to memory of 4816 3272 powershell.exe Overfondle.exe PID 3272 wrote to memory of 4816 3272 powershell.exe Overfondle.exe PID 3272 wrote to memory of 4816 3272 powershell.exe Overfondle.exe PID 3272 wrote to memory of 4816 3272 powershell.exe Overfondle.exe PID 4816 wrote to memory of 4056 4816 Overfondle.exe cmd.exe PID 4816 wrote to memory of 4056 4816 Overfondle.exe cmd.exe PID 4816 wrote to memory of 4056 4816 Overfondle.exe cmd.exe PID 4056 wrote to memory of 5024 4056 cmd.exe reg.exe PID 4056 wrote to memory of 5024 4056 cmd.exe reg.exe PID 4056 wrote to memory of 5024 4056 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe"C:\Users\Admin\AppData\Local\Temp\6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Overfondle.exe"C:\Users\Admin\AppData\Local\Temp\Overfondle.exe"3⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"5⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37Filesize
73KB
MD52a4d239948b7ba6c05b6dc3d6a4bd41d
SHA1ce9c6d7cabfa263b0af02023beaa4938d2dba4f5
SHA256490fafe9835e76b1780427bdfc6f32529d04c81630a5678c6af77b3d46a0276a
SHA512d7205fd1293aba4310773546c50da78d0f9c0ff37dfc0efbcc9928666a556dca634c0ec9dbc01f70bf5cb071c547bee36a1be40ff705a55d41885fbbd1457a57
-
C:\Users\Admin\AppData\Local\Temp\Moviedom230\Enforcedly251\Aphthong.calFilesize
310KB
MD5b5464e0d8950a57546e96bb94f6c2cf1
SHA1b31d124005d806419adfb7f2f055f959c406b97a
SHA256795e6773d208f28d17ae68b6a0d793a568b306764666702bb9591faf0fb85ec2
SHA512f10bc9334f3b4afa3d58ad7f87d0c6874dcacb3b2eabc1f5ae047ae786fe4c7c0e79ee7fd44640202ab0cb0e244e67bc038a3f2173a729feed3090f8e6d9f3ec
-
C:\Users\Admin\AppData\Local\Temp\Overfondle.exeFilesize
549KB
MD54621fea50e1982e6f753efe7d1be2b35
SHA146072b07bfa96583ed03149a04411cbcf04eadf9
SHA2566b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603
SHA512301e380d9e207caa7e994b251e2018207851a32f0c1850b3de669742c9d640d5254640d972e0143bc99e8cb2e3728bb7878814e66498928ff777d26c9bd206f5
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j4vutyct.4y2.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\nsv684.tmp\nsExec.dllFilesize
6KB
MD55aa38904acdcc21a2fb8a1d30a72d92f
SHA1a9ce7d1456698921791db91347dba0489918d70c
SHA25610675f13abaee592f14382349aa35d82fb52aab4e27eef61d0c83dec1f6b73da
SHA512f04740da561d7cd0dea5e839c9e1c339d4a3e63944d3566c94c921a3d170a69918a32dff3f3b43f13d55cc25a2dbb4c21104f062c324308ac5104179766402a3
-
memory/3272-27-0x0000000006310000-0x000000000632E000-memory.dmpFilesize
120KB
-
memory/3272-40-0x0000000073F70000-0x0000000074720000-memory.dmpFilesize
7.7MB
-
memory/3272-16-0x0000000005C50000-0x0000000005CB6000-memory.dmpFilesize
408KB
-
memory/3272-14-0x00000000052A0000-0x00000000052C2000-memory.dmpFilesize
136KB
-
memory/3272-22-0x0000000005D00000-0x0000000006054000-memory.dmpFilesize
3.3MB
-
memory/3272-13-0x0000000005620000-0x0000000005C48000-memory.dmpFilesize
6.2MB
-
memory/3272-28-0x0000000006410000-0x000000000645C000-memory.dmpFilesize
304KB
-
memory/3272-29-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/3272-31-0x0000000006810000-0x000000000682A000-memory.dmpFilesize
104KB
-
memory/3272-30-0x00000000072B0000-0x0000000007346000-memory.dmpFilesize
600KB
-
memory/3272-32-0x0000000006860000-0x0000000006882000-memory.dmpFilesize
136KB
-
memory/3272-33-0x0000000007970000-0x0000000007F14000-memory.dmpFilesize
5.6MB
-
memory/3272-12-0x0000000002C80000-0x0000000002CB6000-memory.dmpFilesize
216KB
-
memory/3272-35-0x00000000085A0000-0x0000000008C1A000-memory.dmpFilesize
6.5MB
-
memory/3272-37-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/3272-11-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/3272-39-0x0000000007840000-0x0000000007844000-memory.dmpFilesize
16KB
-
memory/3272-15-0x0000000005340000-0x00000000053A6000-memory.dmpFilesize
408KB
-
memory/3272-41-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/3272-43-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/3272-44-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/3272-45-0x0000000008C20000-0x000000000B7EC000-memory.dmpFilesize
43.8MB
-
memory/3272-46-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/3272-47-0x0000000008C20000-0x000000000B7EC000-memory.dmpFilesize
43.8MB
-
memory/3272-48-0x0000000008C20000-0x000000000B7EC000-memory.dmpFilesize
43.8MB
-
memory/3272-49-0x00000000779D1000-0x0000000077AF1000-memory.dmpFilesize
1.1MB
-
memory/3272-10-0x0000000073F70000-0x0000000074720000-memory.dmpFilesize
7.7MB
-
memory/3272-69-0x0000000008C20000-0x000000000B7EC000-memory.dmpFilesize
43.8MB
-
memory/3272-68-0x0000000073F70000-0x0000000074720000-memory.dmpFilesize
7.7MB
-
memory/4816-54-0x0000000077A58000-0x0000000077A59000-memory.dmpFilesize
4KB
-
memory/4816-55-0x00000000779D1000-0x0000000077AF1000-memory.dmpFilesize
1.1MB
-
memory/4816-56-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/4816-57-0x0000000001660000-0x000000000422C000-memory.dmpFilesize
43.8MB
-
memory/4816-53-0x0000000001660000-0x000000000422C000-memory.dmpFilesize
43.8MB
-
memory/4816-52-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB