Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 12:55
Static task
static1
Behavioral task
behavioral1
Sample
Borgerreprsentants.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Borgerreprsentants.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
General
-
Target
Borgerreprsentants.exe
-
Size
1.3MB
-
MD5
3e98cae336fa462580691cb91749b71e
-
SHA1
c9ea529b30c094e7d88eed0be92df953324b98f5
-
SHA256
9e45db06cc8ee275f4fd1855b7c8c57f4b2fc85d8f58512076cce9189230c475
-
SHA512
9852ed091853c6fce1d4772270f74687cdb07c130e4511a0d68e9e55a034b90c67f7fe986a153f3377d363ff552d9751da18623e77ae2f6ca354dacf2619ba07
-
SSDEEP
24576:99Q0lIVTRJ6sByXYvuCi/ck/ZB+Loy/U77VaaG8uosbrDqa1VHWTcSdmWDxbLn/y:LQ0lsRpyCi/fH+7M77YoOrDX1l2xbLnq
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
Processes:
Borgerreprsentants.exepid process 3572 Borgerreprsentants.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Borgerreprsentants.exeBorgerreprsentants.exepid process 3572 Borgerreprsentants.exe 4216 Borgerreprsentants.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Borgerreprsentants.exedescription pid process target process PID 3572 set thread context of 4216 3572 Borgerreprsentants.exe Borgerreprsentants.exe -
Drops file in Program Files directory 1 IoCs
Processes:
Borgerreprsentants.exedescription ioc process File opened for modification C:\Program Files (x86)\konvoluterer\Forsikringsinspektrer.ini Borgerreprsentants.exe -
Drops file in Windows directory 1 IoCs
Processes:
Borgerreprsentants.exedescription ioc process File opened for modification C:\Windows\mycelian\sempitern.ini Borgerreprsentants.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Borgerreprsentants.exepid process 3572 Borgerreprsentants.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Borgerreprsentants.exedescription pid process target process PID 3572 wrote to memory of 4216 3572 Borgerreprsentants.exe Borgerreprsentants.exe PID 3572 wrote to memory of 4216 3572 Borgerreprsentants.exe Borgerreprsentants.exe PID 3572 wrote to memory of 4216 3572 Borgerreprsentants.exe Borgerreprsentants.exe PID 3572 wrote to memory of 4216 3572 Borgerreprsentants.exe Borgerreprsentants.exe PID 3572 wrote to memory of 4216 3572 Borgerreprsentants.exe Borgerreprsentants.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Borgerreprsentants.exe"C:\Users\Admin\AppData\Local\Temp\Borgerreprsentants.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\Borgerreprsentants.exe"C:\Users\Admin\AppData\Local\Temp\Borgerreprsentants.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5b8992e497d57001ddf100f9c397fcef5
SHA1e26ddf101a2ec5027975d2909306457c6f61cfbd
SHA25698bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b
SHA5128823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c