Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 14:37
Static task
static1
Behavioral task
behavioral1
Sample
SCAN.AWB.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
SCAN.AWB.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
General
-
Target
SCAN.AWB.exe
-
Size
570KB
-
MD5
acf130a10b41446bb89bf89e630c7fa3
-
SHA1
93ab6a6eb407f475f3c5eea4fb2426339f6e1619
-
SHA256
7ea4b0492d4bd06af8088ed24374001cabe43bac4a8477c9d4c16428ebe7d511
-
SHA512
7336f5cf39695dc457f90b8056d3fa19317725427f2f7efdcc826d9dd93bb287d8188ecd3a771f7a92d1cf8a9c5aafb9ffbc71698d6e48ba01b87e6625f85965
-
SSDEEP
12288:9eCLyNx2qdIzjxxtdH7JZOqBhg5F0y/7dncz+kOILaw/mD+Ksjo:9ebNwqaz9jB7JZTEFT5mL41T
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 2 IoCs
Processes:
SCAN.AWB.exepid process 4476 SCAN.AWB.exe 4476 SCAN.AWB.exe -
Drops file in System32 directory 1 IoCs
Processes:
SCAN.AWB.exedescription ioc process File opened for modification C:\Windows\SysWOW64\kaleb.ini SCAN.AWB.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
SCAN.AWB.exeSCAN.AWB.exepid process 4476 SCAN.AWB.exe 4968 SCAN.AWB.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SCAN.AWB.exedescription pid process target process PID 4476 set thread context of 4968 4476 SCAN.AWB.exe SCAN.AWB.exe -
Drops file in Program Files directory 1 IoCs
Processes:
SCAN.AWB.exedescription ioc process File opened for modification C:\Program Files (x86)\skitserer.ini SCAN.AWB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SCAN.AWB.exepid process 4476 SCAN.AWB.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
SCAN.AWB.exedescription pid process target process PID 4476 wrote to memory of 4968 4476 SCAN.AWB.exe SCAN.AWB.exe PID 4476 wrote to memory of 4968 4476 SCAN.AWB.exe SCAN.AWB.exe PID 4476 wrote to memory of 4968 4476 SCAN.AWB.exe SCAN.AWB.exe PID 4476 wrote to memory of 4968 4476 SCAN.AWB.exe SCAN.AWB.exe PID 4476 wrote to memory of 4968 4476 SCAN.AWB.exe SCAN.AWB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe"C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe"C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18B
MD5a24188ce6d4a713d3508b4c0ec4860ff
SHA11e4b331b57d9d633687b5ecdaf35b0ab55c72e44
SHA2560910aef0152e26373651bd0550d8d61e3f1e72820e69c3fec56ae50cd225a493
SHA512427e9635aed314bb5e5b90ba32c55d78922b3ba8276bc185889e3d3c635925c9148e1bf12d289b0a3c0fc8bbbe78b52f223d550d39b67682f2007b625db0331e
-
Filesize
29B
MD5f302a24fc452fd85d13ad30a272d6f35
SHA13b9153f575b70084ae04fd55d5c86169eaa60916
SHA2562edbbfdef57bac60adc902d6bd15abb9c3e044c0f660c9a63135d37ac0f6c63a
SHA512477c3efa5d2bf5ef6ac57a0dc190014f98ff0bd1181106edff7b0db01d58b7f0d8c6eb77266202249f035cc056a726bfd7abdc2e0d672aadc9a45ed29d4b1bd0
-
Filesize
28B
MD5d5c1c43dcbca7900a2751441b73a1402
SHA12ad884601eb948b72f2e980a05e6c05bfc4f04d7
SHA256334995ac57ad095abcfa5ba0e9216285fc87f9026ea3ef2c67a42d1ed7ddf855
SHA5121627d2cd136c30ba55dd3a336c05f20f90432bb0340ee75d2782328e2edc45e1213f9a315f7b5b61ce5340412f88109d5d13c833116835c3251d1751fce8854c
-
Filesize
39B
MD53e930ca30f900b15da4ef96902f9b347
SHA192c4cd5b76b9be895152fdb3adcd165192daa552
SHA256688f5bdbcde116a168af5f0ea57296f14181abe8fb92292eaf11febd498e3d42
SHA51240bcbeea8dcf22201d275e68be32deadc953a2383f11788947d10aabf4469d61d8e3b86ded7e7369a9d413974d90e628aa1a4a6e6bc2b60c2de20bbd896fd489
-
Filesize
2B
MD525bc6654798eb508fa0b6343212a74fe
SHA115d5e1d3b948fd5986aaff7d9419b5e52c75fc93
SHA2568e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc
SHA5125868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898
-
Filesize
3B
MD54e27f2226785e9abbe046fc592668860
SHA128b18a7f383131df509f7191f946a32c5a2e410c
SHA25601a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d
SHA5122a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb
-
Filesize
27B
MD54957153fabb445fb18c9ebc9c311f34d
SHA1d12d7a2c8a4b61bae681b19b9a07a06a0d0d4632
SHA256fbaa92d310219f370662dbcb3d8023c007b4786d0bf979228690d4df2cf89c91
SHA5124c0ee80abbe5748e3b794982585dc819c57f59429ef47ab628a801d05752daea92e7ef97088556b5411a49e8724157ee748a0e40c3efc0962927783fc1a44cd9
-
Filesize
30B
MD5f15bfdebb2df02d02c8491bde1b4e9bd
SHA193bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA5121757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1
-
Filesize
43B
MD511598c9bea98b902fd23f62d92e2c755
SHA15abf26b3891bde2c11143deac679d44d5af7dde4
SHA256e57e26e68b9ee25d136d2b440e28ffc09be1233efac52ec2f050c098a7e8090c
SHA512aa6045bade9bee63b80e2822d1e17ed4186202c8ba840af93f4d14dad4a2d32790e1ffd7448b4cbc8b92891967174cf70a54d2aa5957f3b266da7bb61d8f6b7c
-
Filesize
11B
MD5bad78a997013818e85c1091ce1f575e0
SHA1fa7b6b576c9b365194a222dfd1d3805121544fd3
SHA256e40f87ab67d67e6a7c1784127b0bdeaa1a053cbc50cbb8155cb469016537513d
SHA512c2f336b68df9aa5234282eb83c042ff87a0187cbd903739bbcbedd6c30be7807d9cd40f97ccd0196d5bdc84833b796197a832687e99da48f1d370d3875bface4
-
Filesize
12B
MD5e456acec0ef7fda3aef06b03bb007e2f
SHA1a7168146dd22139e81563b24beb736179d1c8370
SHA25673842f82df7cfef99c471c4301ef8130ddcd65d831b069b880bd71695d2bf607
SHA512c641ae2e8961562f5fd0f2d258742b024c6564b3f3b6a1d3d642d72bf47a1d6c208055e31dc467a3ea41b7bac658bcbab6e1746daf08fe2484f0c860fb88d475
-
Filesize
24B
MD542e9d16f22a223f11084f22b94b42210
SHA17f4dcba6193c831687f6a1cac9b60231be8a6a1a
SHA2560717d3c2c8ad4b25752e43514cd4352de08c51bb9a8d153beb842dd421677b91
SHA512a965c1381a0179e1bb1600fed3065741ebacc8c1e0a73db5d0db4eddbe5a45ec42cbd489a525d5c5151f52188daf367d0740e6555d9e41c1385a2fed4b7a6ec3
-
Filesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
-
Filesize
1B
MD58ce4b16b22b58894aa86c421e8759df3
SHA113fbd79c3d390e5d6585a21e11ff5ec1970cff0c
SHA2568254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a
SHA5122af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25
-
Filesize
5B
MD5e2fecc970546c3418917879fe354826c
SHA163f1c1dd01b87704a6b6c99fd9f141e0a3064f16
SHA256ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0
SHA5123c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a
-
Filesize
8B
MD5c3cb69218b85c3260387fb582cb518dd
SHA1961c892ded09a4cbb5392097bb845ccba65902ad
SHA2561c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101
SHA5122402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422
-
Filesize
35B
MD56c66825018fd508f24a7fbadc1423e82
SHA170106bab899e783bdfa308a20ef827c54bcd56d9
SHA25600cbd644d8124cab4ffd5db46f360b0eed2e59c414d6812f5945b20c83e6be39
SHA512d387ba4b54b42c8992c693551e098580ad6fcbfebfd0c074ebd9e49cd1cf6c02344193cbceb6981052fba4ef0444180874b82c00af5d3e10e6b63c0fec6f3603
-
Filesize
45B
MD59dfd97e7025bf54441fe6759f87e5ddf
SHA10f04ae6a7bc2213255fc72898f339b12bd743f24
SHA256eea1bdc93e5a8fcbca0aea236d83b487ad2af028095a0d0107f02d397b4372fb
SHA51208ea09b23814906f040060b46d919d45f6aee0c96b27d0baa88813bc46032c274546adb89e354b78f659c962a8588adbbd49966951e1f1b097e2484a07678f44