Overview
overview
10Static
static
3pko_trans_...df.exe
windows7-x64
10pko_trans_...df.exe
windows10-2004-x64
10$PLUGINSDI...ge.dll
windows7-x64
1$PLUGINSDI...ge.dll
windows10-2004-x64
1$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 08:39
Static task
static1
Behavioral task
behavioral1
Sample
pko_trans_details_20240710_105339·pdf.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
pko_trans_details_20240710_105339·pdf.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240709-en
General
-
Target
pko_trans_details_20240710_105339·pdf.exe
-
Size
477KB
-
MD5
c601d5e720a191b1e304c8bcbf63b675
-
SHA1
80133fe77b17d44886e6201d7723be90489a55d2
-
SHA256
d7325eb4553b2c58a8580cb84af63cfe5cdf4ff23a3d4e09a963c656d5717d8c
-
SHA512
2a78f640f01f365d23bb45bfc96e6900eb1814804bbf905876ac9d6e9353fd3e648efc08858b9e29e41eb6c2262e528d34b00d847524aeeabf41eb319792566f
-
SSDEEP
6144:39X0GFlllllllqllllllllllllhllllYllltlld0wz/ypzAJP8xvP2nWaLcAqRFk:R0Nwzy4EP2nWaPqzJgBKjYl92gCU3Bbl
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1760-81-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2468-80-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2468-80-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/3700-84-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1760-81-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft -
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 10 3220 powershell.exe 12 3220 powershell.exe 14 3220 powershell.exe 16 3220 powershell.exe 18 3220 powershell.exe 23 3220 powershell.exe 25 3220 powershell.exe 26 3220 powershell.exe 27 3220 powershell.exe 28 3220 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 4 IoCs
Processes:
pko_trans_details_20240710_105339·pdf.exepid process 2644 pko_trans_details_20240710_105339·pdf.exe 2644 pko_trans_details_20240710_105339·pdf.exe 2644 pko_trans_details_20240710_105339·pdf.exe 2644 pko_trans_details_20240710_105339·pdf.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Preeffort = "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\\Jeglasset\\').Communicatory;%Begittede% ($Assiduity)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
powershell.exepid process 3220 powershell.exe 3220 powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
powershell.exepid process 3220 powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exedescription pid process target process PID 3220 set thread context of 2468 3220 powershell.exe powershell.exe PID 3220 set thread context of 1760 3220 powershell.exe powershell.exe PID 3220 set thread context of 3700 3220 powershell.exe powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 3220 powershell.exe 3220 powershell.exe 3220 powershell.exe 3220 powershell.exe 3220 powershell.exe 3220 powershell.exe 3220 powershell.exe 3220 powershell.exe 3220 powershell.exe 2468 powershell.exe 2468 powershell.exe 3700 powershell.exe 3700 powershell.exe 2468 powershell.exe 2468 powershell.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
powershell.exepid process 3220 powershell.exe 3220 powershell.exe 3220 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3220 powershell.exe Token: SeDebugPrivilege 3700 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 3220 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
pko_trans_details_20240710_105339·pdf.exepowershell.execmd.execmd.exedescription pid process target process PID 2644 wrote to memory of 3220 2644 pko_trans_details_20240710_105339·pdf.exe powershell.exe PID 2644 wrote to memory of 3220 2644 pko_trans_details_20240710_105339·pdf.exe powershell.exe PID 2644 wrote to memory of 3220 2644 pko_trans_details_20240710_105339·pdf.exe powershell.exe PID 3220 wrote to memory of 2688 3220 powershell.exe cmd.exe PID 3220 wrote to memory of 2688 3220 powershell.exe cmd.exe PID 3220 wrote to memory of 2688 3220 powershell.exe cmd.exe PID 2688 wrote to memory of 3920 2688 cmd.exe reg.exe PID 2688 wrote to memory of 3920 2688 cmd.exe reg.exe PID 2688 wrote to memory of 3920 2688 cmd.exe reg.exe PID 3220 wrote to memory of 1956 3220 powershell.exe cmd.exe PID 3220 wrote to memory of 1956 3220 powershell.exe cmd.exe PID 3220 wrote to memory of 1956 3220 powershell.exe cmd.exe PID 1956 wrote to memory of 732 1956 cmd.exe reg.exe PID 1956 wrote to memory of 732 1956 cmd.exe reg.exe PID 1956 wrote to memory of 732 1956 cmd.exe reg.exe PID 3220 wrote to memory of 2468 3220 powershell.exe powershell.exe PID 3220 wrote to memory of 2468 3220 powershell.exe powershell.exe PID 3220 wrote to memory of 2468 3220 powershell.exe powershell.exe PID 3220 wrote to memory of 2468 3220 powershell.exe powershell.exe PID 3220 wrote to memory of 1760 3220 powershell.exe powershell.exe PID 3220 wrote to memory of 1760 3220 powershell.exe powershell.exe PID 3220 wrote to memory of 1760 3220 powershell.exe powershell.exe PID 3220 wrote to memory of 1760 3220 powershell.exe powershell.exe PID 3220 wrote to memory of 3700 3220 powershell.exe powershell.exe PID 3220 wrote to memory of 3700 3220 powershell.exe powershell.exe PID 3220 wrote to memory of 3700 3220 powershell.exe powershell.exe PID 3220 wrote to memory of 3700 3220 powershell.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe"C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Forhrt=Get-Content 'C:\Users\Admin\AppData\Local\kilns\Unobtainably\Helicopter.San';$Forset=$Forhrt.SubString(45874,3);.$Forset($Forhrt)"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"3⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"4⤵
- Adds Run key to start application
- Modifies registry key
PID:3920 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
PID:732 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\dtgxucotnzmfifzebwqmlwxcdtnqyepc"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2468 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\nnmp"3⤵
- Accesses Microsoft Outlook accounts
PID:1760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\yqrivmj"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130B
MD5434c9f981eadaffbec7aa8743e23e311
SHA1d9454d2aaf51e2b1f4660c28006954234963b962
SHA2562668d8f69a8ada3b2740a5ac2fe5ed1c8fba11a658c62647aa98a526870ba708
SHA51260a9589eb71556df85a12b633103d7b5246685f353a11ed5aeb8a7cca926e7d193ebb176a770d817b9df16dba12ea1381dc759c888ca3776f5aad8b7b2c7e976
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD560e30555becdb968406edb87fff512ef
SHA165551417f6371c40e6d5dab38fe87ab634f9446e
SHA2569e347aa1a363532c72d7728abe1afdc48b9418fae8cbf8bcbc50c9c22dfefa57
SHA512cbe1aebf171b54f481028208aa85fb04145cc40772cc30e67107caa5cc70c73f274da362766f125093c1fab1416c687744e53e0f7c30b6ead866c6f6ba671449
-
Filesize
7KB
MD5521df745a41f0b8164ffd01717cacbba
SHA1dc7a9eacfbeb1fae52091da5e80db6cb1b6bce74
SHA256dbf91707fa157603bea025a6411cdcb497ab11262c9c18b14dc431a45aa17c0b
SHA512c5b1ba062872a8f534e2f0eac57fc3c0d8be9cda79605d86566d67260ba5477444a0ddfed1838b4fb14c677e5342c8419a88fcd38147dbaa36ac1f9e00c52bbe
-
Filesize
4KB
MD5acbda33dd5700c122e2fe48e3d4351fd
SHA12c154baf7c64052ee712b7cdf9c36b7697dd3fc8
SHA256943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0
SHA512d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd
-
Filesize
9KB
MD51c8b2b40c642e8b5a5b3ff102796fb37
SHA13245f55afac50f775eb53fd6d14abb7fe523393d
SHA2568780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c
SHA5124ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57
-
Filesize
67KB
MD5bf1ebfd1285dd7ef43a587e9f51a8e33
SHA11dede4026611e9f40c91d9bbe406a06b2fd8bfa4
SHA256de1db1c0a065f580b4fe878c5b363933e45ec7f0c06118d29b6d167af24189ff
SHA5123b7b11a8989a0b46e4091c8e4c81e71a2454fc9fba77618d844653d548ecd59a2c8b8fce3338fa499ca84da8664f7e34f355ab8b18e3507598f5f63dd3a80389
-
Filesize
310KB
MD5afc1982fff88592a55312010cfc773c6
SHA1c57e918c5149ca9c2a331a78ecef84ffc667feb7
SHA25602a71af4b95cf275ba0430022e9c2665bd1e4ddb3177202c1c3059901eefd4f0
SHA512f4acf46244cb0115e0666a631af6dd2e7400478103cd9c152e48307a2239108e7e6bf3b39467747b3efa8b0fbdc59216ad6a26ec5587c19bb56fb4512233117e