Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 01:26
Static task
static1
Behavioral task
behavioral1
Sample
4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe
Resource
win10v2004-20240709-en
General
-
Target
4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe
-
Size
398KB
-
MD5
b1c35e78f5d588430c4f534479def9f2
-
SHA1
f787dd3327ca04361935f74867f76f16821db99f
-
SHA256
4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7
-
SHA512
5f78e6794ae313f5ca96c33fe0ecf0c882a18a93caa54bf92823ac42c5c753b6a98d4c77618de2b62cbc9d24e6e500272e4ffa7b25afff20b7e8349fc278a66c
-
SSDEEP
12288:9GkmNVhJhqnfP30YhNia+nv4tQD3W/P19QY:9GkmPh7qfPrsQeD3W/bd
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ortyginae = "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\\Audiometeret\\').Rudolph;%Monopolizables% ($masturbated)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2712 wab.exe 2712 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2108 powershell.exe 2712 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2108 set thread context of 2712 2108 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 2108 powershell.exe 2108 powershell.exe 2108 powershell.exe 2108 powershell.exe 2108 powershell.exe 2108 powershell.exe 2108 powershell.exe 2108 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2108 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2108 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exepowershell.exewab.execmd.exedescription pid process target process PID 2572 wrote to memory of 2108 2572 4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe powershell.exe PID 2572 wrote to memory of 2108 2572 4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe powershell.exe PID 2572 wrote to memory of 2108 2572 4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe powershell.exe PID 2572 wrote to memory of 2108 2572 4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe powershell.exe PID 2108 wrote to memory of 2712 2108 powershell.exe wab.exe PID 2108 wrote to memory of 2712 2108 powershell.exe wab.exe PID 2108 wrote to memory of 2712 2108 powershell.exe wab.exe PID 2108 wrote to memory of 2712 2108 powershell.exe wab.exe PID 2108 wrote to memory of 2712 2108 powershell.exe wab.exe PID 2108 wrote to memory of 2712 2108 powershell.exe wab.exe PID 2712 wrote to memory of 2776 2712 wab.exe cmd.exe PID 2712 wrote to memory of 2776 2712 wab.exe cmd.exe PID 2712 wrote to memory of 2776 2712 wab.exe cmd.exe PID 2712 wrote to memory of 2776 2712 wab.exe cmd.exe PID 2776 wrote to memory of 2604 2776 cmd.exe reg.exe PID 2776 wrote to memory of 2604 2776 cmd.exe reg.exe PID 2776 wrote to memory of 2604 2776 cmd.exe reg.exe PID 2776 wrote to memory of 2604 2776 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe"C:\Users\Admin\AppData\Local\Temp\4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Vangede=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid';$Spondylotomy=$Vangede.SubString(70479,3);.$Spondylotomy($Vangede)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"4⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD51a78d0f226d0db154812e61b8cadb4b8
SHA1e76650e32ed8bc1e3d72dde1aa6566ff031e0c6e
SHA25619997e372b58bcd5bacd8b199b1633307f0c89fc3ce7abfd4087ec739742f78e
SHA512b06759e8bfeb73187c5277aaaa9c6489f51a88f42b461ec0775de6741f6b797dc3c2cbb8f6cf79815078a420a26cde9cedd861c4d16ac73a037e2160efc4ec41
-
Filesize
68KB
MD5d89dac6d6bcfb431c31bdf7d21f48fbd
SHA12f55f2b77da6a9078c7bb90fd87b205c9c4cf3b9
SHA256ffeacf6c0a98133600a0f1de25732fb4b22b06af6921edd316e52a6d7837359b
SHA51276eb9025c18fd7661cb72d47c7eda57a45304594e5aea32fe73b1dd94ec9db81753726f83e6d9f82924c3b9295eef4725dbaa7d633963ac8e8e91b7444346070