Malware Analysis Report

2024-10-18 23:08

Sample ID 240709-nlhmpatdjh
Target invoice.exe
SHA256 2926ff4aaaf732eb191704ec4b0b5081c9046b1a08ccf3871b14e7600e07d34c
Tags
guloader downloader execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2926ff4aaaf732eb191704ec4b0b5081c9046b1a08ccf3871b14e7600e07d34c

Threat Level: Known bad

The file invoice.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader execution persistence

Guloader,Cloudeye

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious behavior: MapViewOfSection

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 11:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 11:28

Reported

2024-07-09 11:34

Platform

win7-20240705-en

Max time kernel

316s

Max time network

317s

Command Line

"C:\Users\Admin\AppData\Local\Temp\invoice.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Udmund = "%Internality% -windowstyle minimized $Skibsfart=(Get-ItemProperty -Path 'HKCU:\\Backlash\\').Preseparated;%Internality% ($Skibsfart)" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2320 set thread context of 1988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2320 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe
PID 2320 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe
PID 2320 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe
PID 2320 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe
PID 2320 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe
PID 2320 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe
PID 1988 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\invoice.exe

"C:\Users\Admin\AppData\Local\Temp\invoice.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Udlbstidspunkter=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\collinsia\Handelsstandsforeningernes.Toi';$Subdelegate=$Udlbstidspunkter.SubString(69683,3);.$Subdelegate($Udlbstidspunkter)"

C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe

"C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udmund" /t REG_EXPAND_SZ /d "%Internality% -windowstyle minimized $Skibsfart=(Get-ItemProperty -Path 'HKCU:\Backlash\').Preseparated;%Internality% ($Skibsfart)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udmund" /t REG_EXPAND_SZ /d "%Internality% -windowstyle minimized $Skibsfart=(Get-ItemProperty -Path 'HKCU:\Backlash\').Preseparated;%Internality% ($Skibsfart)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp

Files

C:\Users\Admin\Desktop\Flyverdragter.lnk

MD5 e1f9e012d6a177b9fdb259de551c2db4
SHA1 65609a0c4740e3ccc5f5510b55c9006c576840ac
SHA256 6463f0514d8119de8e60b44bdabe90004c2399ace020d426becbf427a6144a0c
SHA512 a222d0b78e80d9402ebf1560e5fb5995f3a3d674c7144a5494cf7fa3352654c9d187a522587208e903c06fcf3de404e3e8fc31ffed92fa0c4aa749586a63f668

\Users\Admin\AppData\Local\Temp\nsj5024.tmp\nsExec.dll

MD5 b648c78981c02c434d6a04d4422a6198
SHA1 74d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA256 3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512 219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

\Users\Admin\AppData\Local\Temp\nsj5024.tmp\BgImage.dll

MD5 350a507070ed063ac6a511aeef67861a
SHA1 cf647b90a1212e090f1d236d1b50a5010cbf3bae
SHA256 5c66abd3f06eaa357ed9663224c927cf7120dca010572103faa88832bb31c5ab
SHA512 cde5747cc8539625e4262afad9699ce4e8325133d7ed7f47b9d46989a7aa0d2cc2488441acc57368f485ef1dd3e02b9ef2faa642f68e9f1db53a39e0f896d468

\Users\Admin\AppData\Local\Temp\nsj5024.tmp\nsDialogs.dll

MD5 13b6a88cf284d0f45619e76191e2b995
SHA1 09ebb0eb4b1dca73d354368414906fc5ad667e06
SHA256 cb958e21c3935ef7697a2f14d64cae0f9264c91a92d2deeb821ba58852dac911
SHA512 2aeeae709d759e34592d8a06c90e58aa747e14d54be95fb133994fdcebb1bdc8bc5d82782d0c8c3cdfd35c7bea5d7105379d3c3a25377a8c958c7b2555b1209e

memory/2320-181-0x0000000073881000-0x0000000073882000-memory.dmp

memory/2320-182-0x0000000073880000-0x0000000073E2B000-memory.dmp

memory/2320-185-0x0000000073880000-0x0000000073E2B000-memory.dmp

memory/2320-184-0x0000000073880000-0x0000000073E2B000-memory.dmp

memory/2320-183-0x0000000073880000-0x0000000073E2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\collinsia\Handelsstandsforeningernes.Toi

MD5 9f369129a14ef6d8d0867ec4d9b6eb19
SHA1 2a56ca0fb0b4590c030d293a7829ac087212821b
SHA256 9f288ab07bf267422b4670dfd87f373115682a026e63db13e9bab44977c8cc0f
SHA512 d8fd8aeabfa1bd47f0d3ca2208ac9154496d9b38ef6b185a3c9bf26877539f57a5b0e022c02ae2121a68f74ab13f45f446124dc6d8d90020defd1abeb2825326

memory/2320-188-0x0000000073880000-0x0000000073E2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\collinsia\Typehuses.Ver

MD5 edd82166d9af4f94ca8413254ad27eee
SHA1 cbe26db0839f63fc825205293f32660e8fa4b63c
SHA256 b1246b2938bd2fa73f3a6679ea5040697db9a6ace3607fd2f20c5db2eeecc907
SHA512 7f25fac516c23cdddfbf8f22e3f29e23c599ceacdfcf5d84531535e7838114bc982bef629ab219c7a17bcbc9ac97f159642297da7e2c1d8fa8d921917986fae8

memory/2320-190-0x0000000073880000-0x0000000073E2B000-memory.dmp

memory/2320-191-0x0000000006610000-0x000000000751B000-memory.dmp

\Users\Admin\AppData\Local\Temp\Observerbare86.exe

MD5 5cb973edda7244515c1ddf1f532b67bc
SHA1 e03200f1949f4c85379cb31d2d61165794efb481
SHA256 2926ff4aaaf732eb191704ec4b0b5081c9046b1a08ccf3871b14e7600e07d34c
SHA512 220f5d5b8677de13495525bc825e048f25dbd9fe829f37e31a64f5ee72cf62945a1d71456a4438f96cd58496289f3cbccb2d7a3ee7fbe1c75e0ee15c93bad9ed

memory/2320-196-0x0000000073880000-0x0000000073E2B000-memory.dmp

memory/1988-197-0x0000000000450000-0x00000000014B2000-memory.dmp

memory/1988-219-0x00000000014C0000-0x00000000023CB000-memory.dmp