Overview

overview

10

Static

static

1

DHL_M-0025...77.exe

windows7-x64

10

DHL_M-0025...77.exe

windows10-2004-x64

5

Forthtelle...ne.ps1

windows7-x64

8

Forthtelle...ne.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29-04-2024 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL_M-002567436735845755676678877988975877.exe

  • Size

    435KB

  • MD5

    4e1e7a26a6c1115d55293a84f36575c1

  • SHA1

    ec727b3bd73c11995e745ff1668ad69400f97d30

  • SHA256

    cd533d45b704ab35ca35b9162805abb28710ca25399344812fa9f8598a93b30b

  • SHA512

    e5f70560e440068c684d95992eace1fb649b0c091230db98f61ff68a49d3ff84530351d3b619445936cd51fc694c11fa43e77d0a1f400d165fcb2e13a670bc7e

  • SSDEEP

    6144:lxFSmlmkDp54v/qwnQ6pNwhScW/rern/ZPYdnPBzYnBAqJ1tUWz:BtFFSa4ySperRPYvAAqJ19

Score
10/10
guloaderdownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL_M-002567436735845755676678877988975877.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL_M-002567436735845755676678877988975877.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Machi=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Nit\plaskenes\Forthteller\Fibrillationen52\Nonveracity\Kreolerne.Ans';$Orichalceous=$Machi.SubString(58815,3);.$Orichalceous($Machi)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:3052
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetWindowsHookEx
          PID:2684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Nit\plaskenes\Forthteller\Fibrillationen52\Nonveracity\Kreolerne.Ans
      Filesize

      57KB

      MD5

      cef01801545d5b91580cd6a4a9273144

      SHA1

      4ba951133e407bd0d6b0447d216528200aff68b9

      SHA256

      f0f42ea894ea592f55fd42f05df638a1c0eb54f966671817ba67ac78d6da3345

      SHA512

      57a39ee84f50065923d8441539da07a6ee49cc9e75e32d4f5b293c7d5a40b5f0cdf9b2e63fa29fbb279c86ad800ff4e8b72ed524d849e0ca423e61d3d9e0ebca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Nit\plaskenes\Forthteller\Fibrillationen52\Nonveracity\Spndkrafts.Fla
      Filesize

      344KB

      MD5

      de7716e2bacc1169dfe5f7917ef0dbad

      SHA1

      d3caf742f49f6dc4bd44c5bc0da1df56bb3926b0

      SHA256

      99087333e7cd63b9ddb06469ec26b0fd17c324d046705c1cefb95705ac1a893a

      SHA512

      9ce185d479cd1d0275481aa28c6980f72faf2a1286ae725cd908a086d71459d5f475319806a2ba850869f7738bf0b6a2ba228420518ede82295b7349f431137d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar71DD.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • memory/2088-6-0x0000000073BA0000-0x000000007414B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2088-7-0x0000000002CC0000-0x0000000002D00000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2088-8-0x0000000002CC0000-0x0000000002D00000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2088-12-0x0000000006650000-0x000000000B87C000-memory.dmp

      Filesize

      82.2MB

      Download

    • memory/2088-13-0x0000000073BA0000-0x000000007414B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2088-14-0x0000000002CC0000-0x0000000002D00000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2684-69-0x0000000001ED0000-0x00000000070FC000-memory.dmp

      Filesize

      82.2MB

      Download