Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 18:31
Static task
static1
Behavioral task
behavioral1
Sample
Assistentuddannelserne.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Assistentuddannelserne.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
General
-
Target
Assistentuddannelserne.exe
-
Size
652KB
-
MD5
5edee175c5003771dea841893ea46602
-
SHA1
14b96459dff641245aea6dacd34512830d945ee2
-
SHA256
d564eb94afb174fe3b854de086eda2a4e015d778a9aea9806e79f82044eac74e
-
SHA512
f16f409fa299352007cc5a78950590542c6d846263f5c25b0d80ac32f3b7f92fae2deafb360d1ee6adb73fbbfcc9f0341f730703febf1c0a7013ff4bef7cfb81
-
SSDEEP
12288:8bzbPZYc4aWV/8RxQM6ybpC2ZQt57tEwV3cyiqr7pDggHIMjbTJ+c:8bzbKc4NUP/dpC2ZQbJ53/XNr
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
Processes:
Assistentuddannelserne.exepid process 3080 Assistentuddannelserne.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Assistentuddannelserne.exepid process 3404 Assistentuddannelserne.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Assistentuddannelserne.exeAssistentuddannelserne.exepid process 3080 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
Assistentuddannelserne.exeAssistentuddannelserne.exeSearchIndexer.exedescription pid process target process PID 3080 set thread context of 3404 3080 Assistentuddannelserne.exe Assistentuddannelserne.exe PID 3404 set thread context of 3592 3404 Assistentuddannelserne.exe Explorer.EXE PID 3404 set thread context of 216 3404 Assistentuddannelserne.exe SearchIndexer.exe PID 216 set thread context of 3592 216 SearchIndexer.exe Explorer.EXE PID 216 set thread context of 4548 216 SearchIndexer.exe Firefox.exe -
Drops file in Program Files directory 1 IoCs
Processes:
Assistentuddannelserne.exedescription ioc process File opened for modification C:\Program Files (x86)\egnethedernes\hals.ini Assistentuddannelserne.exe -
Drops file in Windows directory 1 IoCs
Processes:
Assistentuddannelserne.exedescription ioc process File opened for modification C:\Windows\resources\0409\binbashi.ini Assistentuddannelserne.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
SearchIndexer.exedescription ioc process Key created \Registry\User\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
Assistentuddannelserne.exeSearchIndexer.exepid process 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
Assistentuddannelserne.exeAssistentuddannelserne.exeExplorer.EXESearchIndexer.exepid process 3080 Assistentuddannelserne.exe 3404 Assistentuddannelserne.exe 3592 Explorer.EXE 3592 Explorer.EXE 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Assistentuddannelserne.exeExplorer.EXESearchIndexer.exedescription pid process target process PID 3080 wrote to memory of 3404 3080 Assistentuddannelserne.exe Assistentuddannelserne.exe PID 3080 wrote to memory of 3404 3080 Assistentuddannelserne.exe Assistentuddannelserne.exe PID 3080 wrote to memory of 3404 3080 Assistentuddannelserne.exe Assistentuddannelserne.exe PID 3080 wrote to memory of 3404 3080 Assistentuddannelserne.exe Assistentuddannelserne.exe PID 3080 wrote to memory of 3404 3080 Assistentuddannelserne.exe Assistentuddannelserne.exe PID 3592 wrote to memory of 216 3592 Explorer.EXE SearchIndexer.exe PID 3592 wrote to memory of 216 3592 Explorer.EXE SearchIndexer.exe PID 3592 wrote to memory of 216 3592 Explorer.EXE SearchIndexer.exe PID 216 wrote to memory of 4548 216 SearchIndexer.exe Firefox.exe PID 216 wrote to memory of 4548 216 SearchIndexer.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\Assistentuddannelserne.exe"C:\Users\Admin\AppData\Local\Temp\Assistentuddannelserne.exe"2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\Assistentuddannelserne.exe"C:\Users\Admin\AppData\Local\Temp\Assistentuddannelserne.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3404 -
C:\Windows\SysWOW64\SearchIndexer.exe"C:\Windows\SysWOW64\SearchIndexer.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:4548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88