Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 14:37

General

  • Target

    SCAN.AWB.exe

  • Size

    570KB

  • MD5

    acf130a10b41446bb89bf89e630c7fa3

  • SHA1

    93ab6a6eb407f475f3c5eea4fb2426339f6e1619

  • SHA256

    7ea4b0492d4bd06af8088ed24374001cabe43bac4a8477c9d4c16428ebe7d511

  • SHA512

    7336f5cf39695dc457f90b8056d3fa19317725427f2f7efdcc826d9dd93bb287d8188ecd3a771f7a92d1cf8a9c5aafb9ffbc71698d6e48ba01b87e6625f85965

  • SSDEEP

    12288:9eCLyNx2qdIzjxxtdH7JZOqBhg5F0y/7dncz+kOILaw/mD+Ksjo:9ebNwqaz9jB7JZTEFT5mL41T

Score
10/10

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe
    "C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4476
    • C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe
      "C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:4968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsa53B1.tmp

    Filesize

    18B

    MD5

    a24188ce6d4a713d3508b4c0ec4860ff

    SHA1

    1e4b331b57d9d633687b5ecdaf35b0ab55c72e44

    SHA256

    0910aef0152e26373651bd0550d8d61e3f1e72820e69c3fec56ae50cd225a493

    SHA512

    427e9635aed314bb5e5b90ba32c55d78922b3ba8276bc185889e3d3c635925c9148e1bf12d289b0a3c0fc8bbbe78b52f223d550d39b67682f2007b625db0331e

  • C:\Users\Admin\AppData\Local\Temp\nsa53B1.tmp

    Filesize

    29B

    MD5

    f302a24fc452fd85d13ad30a272d6f35

    SHA1

    3b9153f575b70084ae04fd55d5c86169eaa60916

    SHA256

    2edbbfdef57bac60adc902d6bd15abb9c3e044c0f660c9a63135d37ac0f6c63a

    SHA512

    477c3efa5d2bf5ef6ac57a0dc190014f98ff0bd1181106edff7b0db01d58b7f0d8c6eb77266202249f035cc056a726bfd7abdc2e0d672aadc9a45ed29d4b1bd0

  • C:\Users\Admin\AppData\Local\Temp\nsa53B1.tmp

    Filesize

    28B

    MD5

    d5c1c43dcbca7900a2751441b73a1402

    SHA1

    2ad884601eb948b72f2e980a05e6c05bfc4f04d7

    SHA256

    334995ac57ad095abcfa5ba0e9216285fc87f9026ea3ef2c67a42d1ed7ddf855

    SHA512

    1627d2cd136c30ba55dd3a336c05f20f90432bb0340ee75d2782328e2edc45e1213f9a315f7b5b61ce5340412f88109d5d13c833116835c3251d1751fce8854c

  • C:\Users\Admin\AppData\Local\Temp\nsa53B1.tmp

    Filesize

    39B

    MD5

    3e930ca30f900b15da4ef96902f9b347

    SHA1

    92c4cd5b76b9be895152fdb3adcd165192daa552

    SHA256

    688f5bdbcde116a168af5f0ea57296f14181abe8fb92292eaf11febd498e3d42

    SHA512

    40bcbeea8dcf22201d275e68be32deadc953a2383f11788947d10aabf4469d61d8e3b86ded7e7369a9d413974d90e628aa1a4a6e6bc2b60c2de20bbd896fd489

  • C:\Users\Admin\AppData\Local\Temp\nsa544E.tmp

    Filesize

    2B

    MD5

    25bc6654798eb508fa0b6343212a74fe

    SHA1

    15d5e1d3b948fd5986aaff7d9419b5e52c75fc93

    SHA256

    8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc

    SHA512

    5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

  • C:\Users\Admin\AppData\Local\Temp\nsa544E.tmp

    Filesize

    3B

    MD5

    4e27f2226785e9abbe046fc592668860

    SHA1

    28b18a7f383131df509f7191f946a32c5a2e410c

    SHA256

    01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d

    SHA512

    2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

  • C:\Users\Admin\AppData\Local\Temp\nsb575D.tmp

    Filesize

    27B

    MD5

    4957153fabb445fb18c9ebc9c311f34d

    SHA1

    d12d7a2c8a4b61bae681b19b9a07a06a0d0d4632

    SHA256

    fbaa92d310219f370662dbcb3d8023c007b4786d0bf979228690d4df2cf89c91

    SHA512

    4c0ee80abbe5748e3b794982585dc819c57f59429ef47ab628a801d05752daea92e7ef97088556b5411a49e8724157ee748a0e40c3efc0962927783fc1a44cd9

  • C:\Users\Admin\AppData\Local\Temp\nsb575D.tmp

    Filesize

    30B

    MD5

    f15bfdebb2df02d02c8491bde1b4e9bd

    SHA1

    93bd46f57c3316c27cad2605ddf81d6c0bde9301

    SHA256

    c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

    SHA512

    1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

  • C:\Users\Admin\AppData\Local\Temp\nsk52B5.tmp

    Filesize

    43B

    MD5

    11598c9bea98b902fd23f62d92e2c755

    SHA1

    5abf26b3891bde2c11143deac679d44d5af7dde4

    SHA256

    e57e26e68b9ee25d136d2b440e28ffc09be1233efac52ec2f050c098a7e8090c

    SHA512

    aa6045bade9bee63b80e2822d1e17ed4186202c8ba840af93f4d14dad4a2d32790e1ffd7448b4cbc8b92891967174cf70a54d2aa5957f3b266da7bb61d8f6b7c

  • C:\Users\Admin\AppData\Local\Temp\nsk52B5.tmp

    Filesize

    11B

    MD5

    bad78a997013818e85c1091ce1f575e0

    SHA1

    fa7b6b576c9b365194a222dfd1d3805121544fd3

    SHA256

    e40f87ab67d67e6a7c1784127b0bdeaa1a053cbc50cbb8155cb469016537513d

    SHA512

    c2f336b68df9aa5234282eb83c042ff87a0187cbd903739bbcbedd6c30be7807d9cd40f97ccd0196d5bdc84833b796197a832687e99da48f1d370d3875bface4

  • C:\Users\Admin\AppData\Local\Temp\nsk52B5.tmp

    Filesize

    12B

    MD5

    e456acec0ef7fda3aef06b03bb007e2f

    SHA1

    a7168146dd22139e81563b24beb736179d1c8370

    SHA256

    73842f82df7cfef99c471c4301ef8130ddcd65d831b069b880bd71695d2bf607

    SHA512

    c641ae2e8961562f5fd0f2d258742b024c6564b3f3b6a1d3d642d72bf47a1d6c208055e31dc467a3ea41b7bac658bcbab6e1746daf08fe2484f0c860fb88d475

  • C:\Users\Admin\AppData\Local\Temp\nsk52B5.tmp

    Filesize

    24B

    MD5

    42e9d16f22a223f11084f22b94b42210

    SHA1

    7f4dcba6193c831687f6a1cac9b60231be8a6a1a

    SHA256

    0717d3c2c8ad4b25752e43514cd4352de08c51bb9a8d153beb842dd421677b91

    SHA512

    a965c1381a0179e1bb1600fed3065741ebacc8c1e0a73db5d0db4eddbe5a45ec42cbd489a525d5c5151f52188daf367d0740e6555d9e41c1385a2fed4b7a6ec3

  • C:\Users\Admin\AppData\Local\Temp\nsk52B6.tmp\System.dll

    Filesize

    11KB

    MD5

    8b3830b9dbf87f84ddd3b26645fed3a0

    SHA1

    223bef1f19e644a610a0877d01eadc9e28299509

    SHA256

    f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

    SHA512

    d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

  • C:\Users\Admin\AppData\Local\Temp\nsq55E5.tmp

    Filesize

    1B

    MD5

    8ce4b16b22b58894aa86c421e8759df3

    SHA1

    13fbd79c3d390e5d6585a21e11ff5ec1970cff0c

    SHA256

    8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a

    SHA512

    2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

  • C:\Users\Admin\AppData\Local\Temp\nsq55E5.tmp

    Filesize

    5B

    MD5

    e2fecc970546c3418917879fe354826c

    SHA1

    63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

    SHA256

    ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

    SHA512

    3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

  • C:\Users\Admin\AppData\Local\Temp\nsq55E5.tmp

    Filesize

    8B

    MD5

    c3cb69218b85c3260387fb582cb518dd

    SHA1

    961c892ded09a4cbb5392097bb845ccba65902ad

    SHA256

    1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

    SHA512

    2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

  • C:\Users\Admin\AppData\Local\Temp\nsq55E5.tmp

    Filesize

    35B

    MD5

    6c66825018fd508f24a7fbadc1423e82

    SHA1

    70106bab899e783bdfa308a20ef827c54bcd56d9

    SHA256

    00cbd644d8124cab4ffd5db46f360b0eed2e59c414d6812f5945b20c83e6be39

    SHA512

    d387ba4b54b42c8992c693551e098580ad6fcbfebfd0c074ebd9e49cd1cf6c02344193cbceb6981052fba4ef0444180874b82c00af5d3e10e6b63c0fec6f3603

  • C:\Windows\SysWOW64\kaleb.ini

    Filesize

    45B

    MD5

    9dfd97e7025bf54441fe6759f87e5ddf

    SHA1

    0f04ae6a7bc2213255fc72898f339b12bd743f24

    SHA256

    eea1bdc93e5a8fcbca0aea236d83b487ad2af028095a0d0107f02d397b4372fb

    SHA512

    08ea09b23814906f040060b46d919d45f6aee0c96b27d0baa88813bc46032c274546adb89e354b78f659c962a8588adbbd49966951e1f1b097e2484a07678f44

  • memory/4476-839-0x0000000004320000-0x0000000005555000-memory.dmp

    Filesize

    18.2MB

  • memory/4476-840-0x00000000773C1000-0x00000000774E1000-memory.dmp

    Filesize

    1.1MB

  • memory/4476-841-0x0000000010004000-0x0000000010005000-memory.dmp

    Filesize

    4KB

  • memory/4476-843-0x0000000004320000-0x0000000005555000-memory.dmp

    Filesize

    18.2MB

  • memory/4476-853-0x0000000004320000-0x0000000005555000-memory.dmp

    Filesize

    18.2MB

  • memory/4968-842-0x00000000016F0000-0x0000000002925000-memory.dmp

    Filesize

    18.2MB

  • memory/4968-844-0x0000000077448000-0x0000000077449000-memory.dmp

    Filesize

    4KB

  • memory/4968-845-0x0000000000490000-0x00000000016E4000-memory.dmp

    Filesize

    18.3MB

  • memory/4968-847-0x00000000016F0000-0x0000000002925000-memory.dmp

    Filesize

    18.2MB

  • memory/4968-848-0x00000000773C1000-0x00000000774E1000-memory.dmp

    Filesize

    1.1MB